Thursday, January 15, 2009

Introducing a no data-breach guarantee

Usually we do not talk much about our product or company in this blog. However, today might be an exception :)

This is an exciting day for us at BitArmor - we are announcing a guarantee against data breaches for organizations looking to protect sensitive data and avoid the massive expense of a data breach. We feel proud in being the first vendor to do so!

The concept is simple - we believe we have superior Smart Tag technology that can protect data persistently - using an information-centric approach. The data remains protected at rest, in flight and is device independent - therefore giving us the ability to protect data on multiple devices, especially the ones that are most vulnerable; i.e. laptops (we use disk encryption here in addition to our persistent file encryption), USB devices and email attachments among others..

This gives us the confidence (well, we also derived a lot of it from government agencies and crime labs beating up on our software!) to make this bold statement and back our product with a money-back guarantee in case a publicly announced breach is the result of someone breaching BitArmor controls.

While we understand that a breach may cost the company more than our promise, we want organizations to know we have skin in the game to ensure that their data is protected. In some sense, we also shoulder some of the responsbility :)


Rob Lewis said...

You don't mention data in use.

How do you protect against insider attack by trusted staff who are compromised in some way?

How are you protecting data from theft by system admins, security officers etc?

Insider theft does not mean just the janitors.

Manu Namboodiri said...

Rob- I think it is hard for anyone to prevent data in use theft and real malicious intent from trusted insiders - if one takes out their cell phone and takes a picture of a document, there is not much anyone can do.

We feel that our approach of persistently protecting the data itself - wherever it is, gives broader coverage than many point products that protect only certain devices. In fact this protection can be setup so that IT administrators do not have access to any data.

And therefore, what we are claiming is if BitArmor-protected data is compromised, and if a forensics audit proves it is our fault, we will keep our end of the guarantee...

Rob Lewis said...

Hey Manu,

We are in a bit different space than you guys; our product is counter-espionage technology. We would not look too good if we threw up our hands and said "well there's not too much anyone can do about that threat, is there?"

We do have a way to protect against the example you gave.I would be glad to elaborate if you wish.

Don't get me wrong, I think you guys are bringing something needed to market and I wish you luck. I just don't want people to think "ok problem solved" and let their guards down thinking that all risks have been covered.

Manu Namboodiri said...

Rob - Appreciate the good wishes from your side! We do think our approach lends itself to being a bit bold.

Would love to know how you might prevent complete malicious activity by insiders such as cameras - sure to be cool stuff!

To your point, counter-espionage has different security, threat requirements as well as willingness to push the productivity/ease-of-use/security envelope than normal businesses. I dont think that three-letter government agencies are ever going to think "problem solved".

But I am glad you agree that some degree of confidence in a product is needed in the market.

Rob Lewis said...

Sure Manu,

Without taking up too much of your blog, here is how Trustifier can be used to handle such a problem.

Trustifier is a kernel level behavior (policy) enforcer that can allows ranking of users(users, roles, groups), code, and devices for secrecy and/or integrity, in terms of access rights to documents. You could set your policies so that top secret or mission-critical data could only be viewed, even by those with proper access rights, only on specific work station screens, in the presence of security officers or monitored by live video surveillance.
Again, you would not want to do it for everything, but you can use it for crown jewels if needed.

This is just scratching the surface to respond to your example of course, but you might use your imagination about the possible things one could do by using such rankings. For example, rank audit trails higher for integrity than all users, you now have tamper-proof audit trails to act as a deterrent against unauthorized use of resources by privileged users, which can go a long way to protect data in use.