Are you a threat to your customer’s data?
In the network security world there’s a concept called “castle and moat”. The data you store in the cloud is the castle. And the moat includes the various obstacles you put in place to protect the “castle”. You try to make it hard to cross the moat… but once crossed and inside the castle, everyone is trusted by default.
The drawback with this model is it often becomes the vantage point of insider attacks, from both employee/contractor negligence and professional hackers. In fact most security breach studies show around 92% of attacks involve privileged credentials. [1]
This design flaw is particularly evident with how mobile apps sync their data to the cloud. As an example, consider the following excerpt from an unnamed app’s privacy policy (paraphrased):
we take security very seriously and we do everything we can to ensure your data is secure. All communications between the <our device>, cloud servers, and <our> apps are encrypted with AES 128-bit encryption and TLS/SSL (HTTPS). we use Amazon Web Services (AWS) for cloud servers and online storage… Physical security is managed by Amazon and access to these production systems is limited to a very small group of our engineering team members.
This might sound good to the novice reader, but any security professional sees one thing: castle & moat.
Regrettably a lot of companies still consider this best practice. Imagine using an armored car to transport your goods to a secure warehouse. But once you get through the warehouse doors there is nothing to prevent you from rummaging through any of the boxes.
And yet, customers have a strong expectation that their data remain private. It might be more than an expectation. Depending on the industry it could be mandated by regulatory or compliance items such as HIPAA, GDPR and the upcoming lookalikes such as CCPA.
We understand all too well, that doing all this correctly is not an easy task; it requires specialized security expertise, time, money and truckloads of code.
This is why we created the ZeroDark.cloud system; to make it easier for app developers to get it right.
ZeroDark.cloud is a zero-trust platform. The data your app syncs to the cloud cannot be read by us. Our unique approach uses end-to-end encryption rather than brittle policy to enforce who and what apps can access your cloud data. Your data is protected automatically before it ever leaves the client by our framework. To mitigate any man-in-the-middle attacks we even secure the user’s public key authenticity on the Ethereum blockchain.
We even made the ZeroDark.cloud framework available for audit as open-source software, so you don’t have to just take our word that the code is secure. You can check it for yourself.
Best of all our system easily integrates into your app. We handle all the syncing, encryption, networking, messaging, notifications and setup.
To quote Jon Callas, a well known name in the data security world.
“Zero Dark Cloud is a toolkit that allows any developer to have a solution to a critical and very hard problem: how do I let my customers user their app without having me be privy to their business? How do I remove myself as a threat to my customers? Once, this was something only the most savvy developers could reliably solve. ZDC brings it into a concise API.”
We look forward to helping developers create things like HIPAA-compliant communications and confidential file transfer. But we also belive our feature set will inspire a whole new class of applications. Apps like estate planning for digital assets using our social key recovery. Secure machine-learning model distribution to protect intellectual property. We also have support for large content (encrypted video with scrubbing) served up in a pay-as-you-go system.
We invite you to see for yourself how ZeroDark.cloud can help secure your app data. We posted our docs and some ideas for how to build some useful samples at http://docs.zerodark.cloud
