KODiAC Cloud Services and Patented Cryptographic Offloading Methodology
In October of 2019, Definitive Data Security, Inc. was granted its’ second U.S. Patent entitled: System and associated software for providing advanced data protections in a defense-in-depth system by integrating multi-factor authentication with cryptographic offloading.
In 2014, we embarked on a path to help companies regain control of their networks and data after learning of a data breach (most often through notification by the FBI). This required a long-term vision and commitment that resulted in years of engineering to deliver the data protection, response, and recovery services we have today.
After overcoming a variety of challenges, we are proud that our system has been recognized by many as the most comprehensive set of host data protections available.
And though some have laid claim to be original innovators in these areas, while still others have complimented us with variations on our basic theme, we maintain trade secrets that some said were impossible – and so far others haven’t been able to replicate. These form the essence of our Unified Data Management system that delivers protections that are as effective as they are easy to deploy, administer, and use.
Service Platform with Cloud Cryptographic Offloading
To realize our vision, we knew we’d have to invest in a platform of unified services. With the emergence of cloud computing and expanding presence of high-speed Internet access, we chose to combine cloud services with what’s known as cryptographic offloading (isolation).
Cryptographic Offloading moves sensitive cryptographic operations to isolated, protected, and purposed environments so outside influences can’t have an impact or access internal resources – like decryption keys. In general, processes submit requests to these subsystems and get back a response – details are encapsulated/ hidden from the outside (completely and totally in all cases, by design and in theory).
Shortcomings of Cryptographic Offloading
There are myriad challenges for a practical offloading solution, but two very specific and critical problems with secure elements (as they are more generally called). First, they are resource-limited, a result of cost. By using the cloud instead of a crypto chip, resource limitations disappear. This leaves the problem of performance, though with growing high-speed availability and some ingenuity, these problems were relatively easy to solve.
More importantly and perhaps directly, offloading is susceptible to Impersonation. An Impersonation Attack seeks to assume the Identity of an authorized resource to carry out privileged operations. This can be achieved in a variety of ways, most directly by stealing credentials.
No matter how Impersonation succeeds, it does so largely because time is on the attacker’s side. History has shown that an attacker can penetrate a network and maintain a presence for weeks, months, or even years without being detected. Sooner or later, even in the most highly-protected systems, reality gives way to error. Whether through temporary misconfiguration, coverage gaps from changes, or from human error, an attacker will almost always find a way to exploit system services to gain access to privileged credentials.
NOTE: Our practical goals for delivering, “protection” combine limiting exposure when resources are compromised with reduced inefficiencies in traditional Response and Recovery operations. These goals motivate the capabilities of integrated products/ services, outlined below.
MFA to Inhibit Impersonation
The most practical, widely accepted, and proper answer to Impersonation involves the use of multi-factor (or two-factor) authentication. This requires an authorized User to provide a 2nd method for authenticating his or her Identity, usually with a physical token or external device (like a phone, though we recommend against software-based codes managed by mobile applications, even in the patent text, as they are susceptible to bypass). The most effective 2nd-factor techniques require a physical presence, in our case practically addressed using a USB token that houses a touch-sensor to generate credentials.
Details are of course extensive, and there are many ways to get this wrong – which is important to remember when evaluating solutions. Nonetheless, we knew we’d have to integrate MFA directly into our offloading protocols, and as a result we’d then have the foundation we wanted to achieve our original goal: Provide an effective solution that’s easy to deploy administer and use. By including a 2nd-factor as a fundamental aspect of our offloading solution, we had all the pieces necessary to build the integrated set of services on top.
In-Place Encryption and Layered Services
Though KODiAC, using the cloud, instantiates patented cryptographic offloading, we still had the task of simplifying integration on the host. With a variety of options at our disposal, we chose to create further innovation to integrate with our patented offloading scheme so we could realize the most aggressive result possible: A truly application- and thus infrastructure-independent solution that maintained end-user workflows and native applications.
The resulting technologies are held as a Trade Secret in what we refer to as In-Place Encryption, which automatically detects end-user access to protected materials and seamlessly performs authentication, authorization, and encryption/ decryption using KODiAC Cloud Services to deliver protected plaintext while also maintaining host isolation. Continuous monitoring allows us to ensure plaintext is re-protected upon completion of use, closing the loop.
The result: A complete, end-to-end integrated solution that reduces end-user participation to the act of providing independent credentials for endpoint software – the :Foundation Client – in the form of an intermittent password (refreshed on-demand but only on occasion, from once a day to shorter time spans and based on Administrative configuration) – and of course an optional 2nd-factor. As you may have guessed, when the 2nd-factor isn’t bound to a hardware device, the :Foundation Client utilizes a software-based solution, “under the covers” to fulfill system requirements.
Central Control and Layered Response/ Recovery Services
We didn’t arrive on the architecture and resulting designs in a day, and it took the better part of 18 months to refine In-Place Encryption with cloud service optimizations. But the resulting solution provided additional advantages by nature of central authentication and authorization as part of key distribution. It is of course far more complex, since our cloud services never hold enough keying material to recover end-user plaintext.
The general nature of central control permits layered Continuity Services such as Backup/ Restore, Integrity Protection, Sabotage Remediation, host content Replication and offline Disaster Recovery. And through creative use of secure audit information, we have been able to not only deliver fine-grained Reporting that can be used as a high-quality source to improve SIEM and Correlation system effectiveness, but also deliver Objective Disclosure Risk Insight for all managed content, used both internal to an Organization and by Third Parties (governed by Sharing Policies).
As a whole, this delivers on our original vision. The first complete set of system services was introduced in early 2017 with the public release of :Respond, and since that time we’ve focused on maturing these offerings and adding support for advanced operations with global distribution.
Conclusion
DefiniSec in 2014 set out to provide solutions for companies breached by advanced attackers, whether from nation-states, hackers for hire, or malicious insiders. The progression from our original vision to our distributed protection capabilities has included many challenges that might someday warrant its’ own book. But despite these hurdles, we have persevered to bring these protections to you, and look forward to an opportunity to prove we can do what we say. Want to challenge us? Give it a shot with an Evaluation, or contact us directly. We look forward to it!