Globally, money has recently been pouring into security startups and it’s not hard to understand why. With breaches now routine, it’s abundantly clear that something went wrong when today’s security systems were being designed a decade or more ago. Too many assumptions turned out to be optimistic, leaving organisations large and small to pay a heavy price as data was siphoned from databases whose defences were about as effective as a paper wall.
Startups have come to be seen as one solution to this failure and in the US at least, a lucrative investment. If something’s not working, invent a new thing to replace it. The UK too has seen a clutch of new names, almost all in security software or services.
Founded less than two years ago, Silicon:SAFE is the latest example of this movement but, unlike almost every British contemporary, it has chosen to base its products on hardware rather than software, and to take a long-term approach not driven by money-hungry investors. It’s surprising to hear that a UK startup has taken on this kind of challenge. Security is hard enough without throwing expensive hardware development into the mix but that’s precisely what its founders Roger Gross and Dr Will Harwood decided to do in 2013 after meeting for a catch-up for the first time since they worked together at Citrix in the early 2000s.
In the intervening years, York University PhD Harwood’s perspective on security had been influenced by the painful Sony data breach of 2011, after hearing it discussed at a conference. Sony had used encryption to secure its customer data but still, paradoxically, asked them to change their passwords. How could this be? It was as if they realised that encryption alone was no longer as secure as it seemed.
“I wondered away from that workshop thinking the problem wasn’t going to be solved by encryption,” states Harwood.
The disaster for Sony wasn’t simply the damage of losing data but the reputational damage of having to tell customers to reset their account credentials. Data was secure and yet it wasn’t. It’s a pattern of disclosure that has been repeated over and over by large firms that have suffered catastrophic breaches in the years since then.
Harwood’s PhD had covered trust and its complex mechanisms and this has helped him pose the radical question: was it even possible to secure data using computing models based on generalised hardware and mainstream operating systems? Even with encryption, Harwood believed it wasn’t with sufficient certainty.
“I mentioned my research project and Roger thought there was a commercial opportunity. But if I did it as research it probably wouldn’t make a difference for 30 years.”
What has emerged at the other end of this conversation is a possibly unique hardware platform called Password Protect, in essence a password authentication appliance based on a startling architecture that completely eschews operating systems and even mainstream microprocessors in the search for something that can’t be hacked.
The appliance can’t run executables and can’t therefore be undermined by the software flaws and malware that bedevil standard appliances. When a user logs into a system using Password Protect, no credential or password is never sent, only the answer to the simple verification question – does the supplied credential match what is in the appliance, yes or no? The password itself cannot be pilfered from the box because there is simply no interface to do that.
It sounds like a thought experiment gone haywire, good security but strange IT, almost as if the designers have returned to a forgotten world where computers were single-purpose devices rather than general-purpose Turing Machines.
Silicon:Safe - you can check-out any time you like...
Password Protect is a box into which credentials are placed but never after that extracted by anyone. A new password can be placed in the box, of course, but the old one remains in a ‘no read’ state. Backups are carried out by automatically mirroring changes to a second appliance, which is also no-read. Nothing has to be encrypted which means there are no keys to store, backup and secure. There are no admin passwords to steal and even insiders can’t get into the contents unless they can come up with a way of physically accessing the box.
Inside the appliance are three processors, one a hardware firewall that acts as a one-way trap, a second an encryption interface for communicating with external web and application servers sending data in this state and a third to perform the mirroring with the backup machine.
The next stage is to move the ‘Harvard’ micro-controller architecture to more expensive field-programmable gate array (FPGAs) to ease development.
“We’re doing things very simply,” says Harwood. “Instead of four million lines of code in an SQL database you have 10,000 lines of code. All the processing power is dedicated to doing the one thing you want it to do.”
The contrast with the sorts of systems emptied during high-profile data breaches is striking. Criminals find these systems trivial to compromise, not least because they are inherently complex. “You know what they’ve done is gone to the backend database and got the information. We’re stopping that kind of attack,” explains Harwood.
“We’ve built a security architecture for a specific function.”
A potential drawback to this specialised approach is that different types of data require different, customised boxes and that will require time and money. So far, Silion:SAFE’s funding has reached a modest $1 million from unnamed angel investors which will enable the firm to develop its design.
Isn’t encryption more elegant? As the 2015 Ashley Madison breach made clear, encryption is no longer a forcefield. Weakly encrypted data can be cracked using a number of techniques.
“Our response to encryption is that it is a good idea. But if you are concerned about the consequences of theft then encryption doesn’t solve the problem [or the possibility of] insider threats,” says Harwood.
A bigger objection might be that credentials themselves are close to obsolescence in an age moving towards more complex forms of authentication. This might explain the team’s desire to develop appliances that can protect other types of data.
“We have enough money to get the tech to a production level,” confirms Harwood, who goes onto hint at the Cambridge and wider UK connections that secured the funding as well as mentioning Slicon:Safe’s engineering presence based at BT’s Adastral Park research centre.
Currently the Password safe is being trialled by a bank and a very large UK service provider which is assessing the platform as something that might work in a datacentre context.
Hurdles remains, including development and the need to get the cost of the appliance down to a level where it can compete. The concept the pair have come up with would have been laughed at even five years ago as a computer science project run wild. Much work remains but the founders are hopeful.
The era of trivial data breaches will have to end one day and Password Safe and appliances like it could be part of the solution.
Silicon:Safe's Password Protect will be formally launched in April. Anyone who believes they can find a way around its security architecture can enter the firm's Hacker Challenge to test their ideas.