I reviewed CertainSafe for TMC Labs to be published in TMC's Internet Telephony Magazine. Check out an early sneak peek here...
TMC Labs learned about a new product launching by TransCertain called CertainSafe that could be a game changer when it comes to cloud-based collaboration. Fortune 1000 companies and indeed even smaller companies are reluctant to put their most sensitive and confidential data in the cloud to be shared with their partners and customers. But what if you could encrypt the data in the cloud using AES256 encryption or any encryption algorithm of your choice, and combine that with “Tokenization”? Further, what if you could share certain folders and files with specific people using just a browser and with no plugins required and what if you could set an expiration date of how long a folder is shared and maintain an extensive audit trail?
TMC Labs spoke with TransCertain’s CIO David Schoenberger about CertainSafe, along with their current product CertainStore, which is the engine that drives the security behind CertainSafe. David started by giving a history on TransCertain along with a technical description of CertainStore…
David: Four years ago, when we founded this company, my partner Tim Reynolds and I both came out of payment processing background and we worked with a couple of payment processors before. We had built some remarkable payment processing technology - highly secure processing and working directly with the Federal Reserve system and to the backbone of VISA and MasterCard. Direct high speed volume processing. We had to have high speed, high security, and high availability. Those were our three foundational hallmarks for the technology we built.
While we were in this payment processing business, our clients kept coming to us and saying hey, great, we understand you have fantastic security, you’ve got great speeds, but we’re also concerned about some other pieces of our data. What do you guys do for social security numbers or what about this documents that go along with the payment transaction? Can you secure that stuff too? And we couldn’t. The growing concern in the marketplace was that we’re not just concerned about payment data. In fact we might be more concerned about these other pieces of data than we are around the payment data.
So that’s what we did. Tim Reynolds and I left the company we were with and founded TransCertain with the idea that we can take any data from any platform and secure it. But not just secure it make it available. This availability is very revolutionary for us. We’ve bridged the gap between data security and data integration and availability and we have created a technology that secures data at very high speeds and very securely and at the same time makes it available.
Unlike bulk database encryption solutions which encrypt everything, CertainStore helps companies identify which items in their database would give the company heartburn if there was a breach. What CertainStore does is take those elements from their database and provide the customer a “token” just as a reference or placeholder. They take the secret data and put it in CertainStore’s cloud through a proprietary algorithm to generate the token, which importantly has nothing to do with the source data. So if someone hacks in and finds those millions of tokens sitting in the client’s database, they won’t be able to reverse engineer the originating data.
TMC Labs: What about a rogue employee that attempts to contact TransCertain with all of the tokens and asks for the data back?
David explained that programmatically, even if they contact TransCertain, they cannot give the data back unless the permissions have been granted in the business negotiations to say what needs to happen to the data.
David: Typically, when we have the data, we’re doing something with the stored data. We can hand it to a vendor, to a bank, to the other doctor, the other insurance company. Typically speaking, we never hand the data back to the merchant. When they tell us to do something with the data they’ll hand us the token with the rule that’s already built into our platform called process on time that says ‘here’s what needs to happen to the data when it needs to happen. So if a hacker says hand the data back to me, our system will deny it.
TMC commented how this essentially eliminated “social engineering hacking” and David agreed that due to their “one way streets” or “one way rules”, it’s impossible to gain access to the data even if the tokens are acquired by a hacker or rogue employee. CertainStore spreads the data around to multiple hard drives in separate physical locations.
David: Even if the hacker figured everything out and broke through all the rules and understood every nuance of our technology, which I’m telling you this is impossible- and he took the token and hacked in and unencrypted this data represented by the Token and the hacker has found in the thousands of different hard drives where that piece of data lives, MicroEncrypted™ on that hard drive and took the data out. The best thing - which is still impossible – that they can ever do and if they are able to hack through the encryption algorithm, which standard ships with AES256, instead of unlocking an entire encrypted database, they’ll only be able to unlock one single element of that data.
He added that they can use whatever encryption algorithm a client wishes, including proprietary encryption algorithms.
TransAct is the final step, an adapter system they’ve built that unencrypts, transforms the data into a format the receiving side is expecting and then a Just in Time (JIT) sort of method, for the first time it unencrypt the data using the token and use the receiving side’s proprietary method of transmitting that data to them. The receiving side can use standards such as SSL for the transmitting of the data.
David mentioned that their solution completely relieves their clients of the burden of securing the data, any fines or penalties or media embarrassment if a client’s systems were hacked since no sensitive data was stolen. Their platform gives them complete control and freedom over what happens to that data and because CertainStore does not ever hand back that data to the client it eliminates the liability of “holding” that secret data locally. CertainStore acts as the go-between pushing the data where the client needs it to go without the client ever having to store sensitive data in their own IT infrastructure.
If the client wants the data back, CertainStore will give it back to them. In fact, there are cases where fields need to be updated or compared. CertainStore offers APIs to expose the data and allow the client to update records and re-encrypt and re-tokenize that data without clients having to do anything on the front-end.
CertainStore leverages Server-to-Server communication using standard Web Services so that their database communicates with TransCertain’s servers to provide the field-level encryption and what TransCertain calls “MicroTokenization”. These connections are completed utilizing technology that can connect any platform to any other platform quickly, efficiently, and cost effective.
David: All of our services – CertainStore, Process on Time, and TransAct are all wrapped with APIs, both XML and JSON APIs so any organization regardless of their front-end platform or regardless of their database can send and receive tokens from us, can send and receive the data that they need, can make the requests that they need programmatically at the server level. Which means from an integration standpoint the integration is a piece of cake. They don’t have to change their front-end software, or change their database, or change their legacy system, etc. All they have to do is make an XML or JSON call into our platform.
Continue reading CertainSafe, the Virtual Safety Deposit Box, Drives Secure Collaboration...
Tags: AES256 encryption, certainsafe, drag-and-drop sharing via browser, HTML5, PCI compliant, permissions. HIPAA compliant, preview view, read-only, scheduled sharing, transcertain
Related tags: needs happen, payment processing, encryption algorithm, rogue employee, contact transcertain, certainstore
- Follow me:
Facebook Profile
FriendFeed Profile
Google Reader Profile
Google+ Profile
LinkedIn Profile
Twitter Profile
Sponsored by Apex Technology Services, a leading IT Services company