Building security inside data, not around it - Embedded.com

Building security inside data, not around it

The time is months from today — August 1, 2020.  The place: Las Vegas. You are attending a Blackhat conference. You’ve been promised a top-secret document that will describe multi-layered encryption schemes no one has ever seen before.

The sender assures you the document is for your eyes only.

The sender further stipulates that you can only open the document when you use your PC in Room 1205 at the Mandalay Bay Hotel, between 3 and 5 p.m. on the first day of the conference.

This stuff is reminiscent of that self-destructing Mission Impossible message that disappears in a puff of smoke after it’s listened to, but with a twist — this data disappears if you dare alter your device, your location or miss the two-hour viewing window.

Who could possibly specify, tailor and exert such exact parameters, including a deeply granular geolocation spec, on a document that’s about to be shared?

Keyavi Data, a data security company based in Las Vegas, claims it can do this.

Elliot Lewis, CEO of Keyavi Data, told EE Times that enterprises often see their data breached or hacked because their data protection methodologies often can’t keep up with “constant changes in technologies — data centers, end points, data flow or data architecture.”

Rather than developing security measures against moving targets, Lewis suggested, what if we can make data itself “self-intelligent, self-protective and self-aware?”

In other words, put security in data itself. That’s exactly what Keyavi has done, claimed Lewis.

For example, data that needs protection can be stored in a USB stick, CD-ROM or cloud drive, according to Lewis. “It doesn’t matter.” Regardless of the data’s container, Keyavi’s protection mechanism stays with, and travels with, the data.

Chain of custody

There are three elements unique to Keyavi’s technologies.

First, the data itself has smarts, so it can ask such questions as “Who are you? Where am I? Who should have this?” before letting a receiver see the data. The embedded security can protect itself from being accessed or stolen or used inappropriately.


Screenshot of Keyavi’s user dashboard (Source: Kyeavi Data)

Second, the data can report its status to its owner within 30 seconds, wherever the data winds up. On Keyavi’s dashboard, as soon as you push a send button, you can see a global map light up as data moves to different parts of the world.

Third, Keyavi’s technology is built to show a chain of custody throughout the life cycle of data.

When Lewis was chief security architect for the Office of the CTO, Software Division, at Dell, he saw myriad security breaches. Companies whose data was compromised or breached suddenly faced a hail of legal questions. They had to report to authorities on specifics including the possession of data, which customers’ data leaked, and who had control of that data. Most companies scramble to piece together all the facts because such information is not in a single file but dispersed all over the place. Keyavi’s technology can offer the chain of custody and forensic data, Lewis noted.

How Keyavi has done it

Details of how exactly Keyavi has pulled this off remain undisclosed.

However, to dispel vaporware concerns, Keyavi demonstrated it in real time to EE Times editors online.

The company also has customers, who remain nameless. The product has been in early access mode since October. It went to beta testing in January, according to Lewis. Beta testers include companies in healthcare, manufacturing, finance, entertainment, and hospitality. Those early adopters are now proceeding into full adoption.

Lewis stressed that Keyavi has designed encryption based on “industry standards such as CryptoAPI and AES. The product is compliant with the National Institute of Standards (NIST)’s FIPS-140-2.”

Keyavi’s encryption technology, however, is fundamentally different from its forebears in two basic ways, said Lewis. First, Keyavi is deploying a patented multiple key encryption, which denies data access to any single encryption key. Second, its Microdatabase technology is embedded in the data.

For every individual file or group of files, the technology wraps the data in multiple, independent encryption layers. In contrast to data loss prevention (DLP) or other data protection methods, the compromise of any single layer triggers protection mechanisms in the other layers.

Data can only be accessed by meeting all permission parameters set by the owner. For example, access can be granted by location, including cities, streets, specific buildings or rooms in a building, by certain individuals or groups and for certain periods of time. The owner can immediately change or revoke parameters, so data stays under control regardless of where it is located or who possesses it.

In addition, “Every piece of data has our embedded Microdatabase technology built into it,” said Lewis. “This is the intelligence part.” Keyavi invented this new technology, which was developed by a team of experts armed with more than 600,000 cumulative hours in cyber and encryption technology.

While it declined to disclose the total development hours, the company acknowledged that the core architecture and new technology model have been in development for many years.

The data is self-aware, including situational awareness. When an attempt is made to access it, it first senses whether it’s in an approved location. If not, the data disallows interactions with the requesting party. If the location is approved, it confirms or denies the recipient’s rights to access it in there. Only after all other parameters have been met, the data uses a content key to allow access.

Competing methods for protecting data have focused on keeping the data contained. “They’re all about how to keep the data within a certain platform or container or operation,” said Lewis. “It’s always about doing something around the data. Other methods are tied into policy servers where the data has to check back, or only opens up for a particular application or container or platform. With Keyavi, protection is built into the data itself.”

Platform agnostic

Keyavi’s technology is agnostic to transport, storage, platform and applications, according to Lewis. It can run on any operating systems including Windows, MAC, iOS, or Android. Keyavi can be also integrated into different applications – such as Office suites, and Outlook.

Most enterprise users or OEMs can take the Keyavi API, and their developers can build Keyavi-integrated apps tied back to their own policy, infrastructure or services.

What about Digital Rights Management

Keyavi’s ability to allow data owners to change or revoke parameters of the data usage at a moment’s notice begs the question of impact on the data’s digital rights management (DRM).

Keyavi stressed a difference between Keyavi’s intelligent data and any DRM enabled file. DRM allows an application to apply a particular set of rules to how a given file will be allowed to operate within that application, according to Keyavi .

Whether data uses Adobe PDF or Microsoft Office DRM, the DRM control sets are resident in the applications, not in the data itself.

Further, Keyavi pointed out, “Neither of these [DRM] control sets keep the file from being shared or stolen. They are just as vulnerable as they were before to theft, extraction, or inappropriate sharing.” In short, they only allow the application – if the application is being used to access them – to control certain features.

But what happens when Keyavi is used to protect a DRM-enabled file?

According to the company, Keyavi is applied around that DRM. The company explained, “Keyavi still protects the file under all conditions, and once the proper access policies are met and the file knows it is ‘safe,’ then it will allow access to itself.  The file will still be a PDF- or Office DRM-enabled file and all of those policies for the application will apply as well.”

>> This article was originally published on our sister site, EE Times.

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.