Identity Aware, Seamless, Extended End-2-End Reverse Sandbox
So what does this mean? Why is it important? Couple of important concepts and reasons:
- Seamless, Extended End-2-End. Simply put, FN controls the data from the time a user communicates with hardware peripherals like a keyboard and mouse as it traverses the users local device, across the internet and even onto the server. Seamless insures that there are no gaps in the data’s traversal which provide easy attack vectors for hackers.
- Reverse Sandbox. This one’s a bit of a mind bender, but here goes. If anti-virus is a blacklist, and application white-listing is well, white-listing, then sandboxing is de facto sandboxing a blacklist (i.e. quarantine the bad stuff) and thus reverse sandboxing is sandboxing a white-list (protecting the good stuff). Got it?
- Identity Aware. The real special sauce and another mind bender of sorts. With FN, a User is bound to their data as well as FN’s software. As such, FN’s entire software suite is User aware (otherwise known as identity aware) at all times and as such, data is which is always cryptographically modified unless it is presented to the correct user.
Lastly, the Security Technologies noted are what prevents direct attack against FN’s software, by increasing the difficulty of hacking (or said another way, increasing the software’s “mean time to failure”) thru diversification and fragilization. Further, scheduled morphing updates the diversified software package such that if the software is unbroken at the time of updating, the hacker generally has to start hacking all over again. Conceptually, as the update interval’s time frame is reduced, the probability of hacking is also reduced.
Our specific solution direction is a construct we call Security Agents and before delving into what this construct is, let’s start by outlining what it is not. The term ‘Security Agent’ shares properties, but should not be confused with, the more general term “software agents” which refers primarily to software that acts on behalf of a user or Secure Mobile Agents, which in addition to acting on behalf of users, further requires the agent to be capable of autonomous movement from one device to another while preserving the integrity of its operations and data. In comparison, Security Agents are not nearly as intelligent, artificial or otherwise, as the other note agent architectures, are only mobile if a user wants them to be, and serve the specific purpose of insuring the confidentiality, integrity and availability of a user’s data in a malicious host environment.
In our view, the minimum properties that comprise Security Agent’s include:
- User/Owner Centric: Must serve the needs, objectives and purposes of the User, including, but not limited to, data protection.
- Reduced Transitive Insecurity. Any system is comprised of components, and by definition, the more components of unknown or unverified properties that an agent must rely on the less likely it is that it will be secure. The corollary of this axiom would be that any security system relying on a component that is known to be insecure cannot itself be secure, which we think is a construct of extreme importance.
- Identity Aware. Given that a Security Agent’s objective is to serve the user in a trustworthy manner (not to act on behalf of, as noted earlier) a mechanism must exist to effectively establish a link “chaining” a user’s identity to their agent and facilitating an agent distinguish between calls made by it, vs. those made by other software.
- Bidirectional Authentication: An system must not only authenticate the user, but the agent must also authenticate itself to the user.
- Predicate Enforcement: In order to be effective, policies must not only be defined, but also they importantly must also be enforceable (via predicates). Further, we believe that enforceability can only be achieved through the “undetachability” of decision making and enforcement mechanisms.
- Trustworthy Trustmarks: Users must be able to understand and thus utilize simple human computer Interface cues, such as trustworthy trustmarks.
- Privacy ‘and’ Security: By definition, security and privacy self-evidently share the mandate of confidentiality and thus should be concurrent design objectives. Further, specific privacy requirements should also be explicitly incorporated into agent design, such as by way of example, privacy as the default setting (see Privacy By Design for other important privacy design considerations.
- Fail Securely: When encountering an unknown component or one whose security properties cannot be verified, the system should be designed to fail securely, such that under no circumstances and at all times, no data should ever be compromised.
- Fail Gracefully: In the event that an agent or one of its components has been compromised or otherwise results in the loss of its expected security properties, a mechanism must exist to quickly and easily update all effected agents once the shortcoming has been rectified.
- Self Verifying, Behaviorally Diversified and Scheduled Morphing Code: Given that the potency of all software is of some finite limit, the agent infrastructure must be capable of continuously updating itself with new, behaviorally diversified agents to extend the potency of any known set of technologies.
The architecture of Security Agents is based on the simple principle of taking complete responsibility for user data security as early as possible in the users interaction with a computing device and then maintaining it in a cryptographically altered state at all times thereafter. We call this hyper prophylactic idea ‘seamless, end-to-end reverse sandboxing’ and enables the elimination of transitive risk from all other system components, that is, even if say the browser, OS or any 3rd party app has vulnerabilities/can be compromised, the security of user data is no longer at risk.