SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Similar documents
How to Build a Culture of Security

WHITE PAPER. Authentication and Encryption Design

The Security Behind Sticky Password

Computers and Security

Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5

Dashlane Security Whitepaper

Password Management. Eugene Davis UAH Information Security Club January 10, 2013

Security Specification

How NOT To Get Hacked

Dashlane Security White Paper July 2018

WHITEPAPER. Security overview. podio.com

Securing Internet Communication: TLS

The LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords

Cyber security tips and self-assessment for business


Creating Trust in a Highly Mobile World

Keeping Important Data Safe and Secure Online. Norm Kaufman

Transaction Security Challenges & Solutions

Progressive Authentication in ios

Cloud FastPath: Highly Secure Data Transfer

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Network Security and Cryptography. 2 September Marking Scheme

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

Vidder PrecisionAccess

Installation and usage of SSL certificates: Your guide to getting it right

BEST PRACTICES FOR PERSONAL Security

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Solutions Business Manager Web Application Security Assessment

6 TIPS FOR IMPROVING YOUR WEB PRESENCE

Security Best Practices. For DNN Websites

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

How Secured2 Uses Beyond Encryption Security to Protect Your Data

Top 10 Considerations for Securing Private Clouds

Personal Internet Security Basics. Dan Ficker Twin Cities DrupalCamp 2018

Dashlane Security White Paper

Exposing The Misuse of The Foundation of Online Security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Staying Safe Online. My Best Internet Safety Tips. and the AgeWell Computer Education Center.

Evaluating the Security Risks of Static vs. Dynamic Websites

EasyCrypt passes an independent security audit

Lecture 3 - Passwords and Authentication

CNT4406/5412 Network Security

VNC SDK security whitepaper

How to Stay Safe on Public Wi-Fi Networks

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Frequently Asked Questions WPA2 Vulnerability (KRACK)

A (sample) computerized system for publishing the daily currency exchange rates

BeBanjo Infrastructure and Security Overview

Keep the Door Open for Users and Closed to Hackers

Are You Avoiding These Top 10 File Transfer Risks?

(2½ hours) Total Marks: 75

Security Overview of the BGI Online Platform

COMPUTER PASSWORDS POLICY

Authentication Security

Worksheet - Reading Guide for Keys and Passwords

Product Brief. Circles of Trust.

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

INSE Lucky 13 attack - continued from previous lecture. Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014)

10 FOCUS AREAS FOR BREACH PREVENTION

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Bank Infrastructure - Video - 1

epldt Web Builder Security March 2017

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

6 Vulnerabilities of the Retail Payment Ecosystem

PCI DSS and VNC Connect

Six steps to control the uncontrollable

Microsoft Exam Security fundamentals Version: 9.0 [ Total Questions: 123 ]

cs642 /introduction computer security adam everspaugh

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

CSE484 Final Study Guide

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Salesforce1 Mobile Security White Paper. Revised: April 2014

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

Holistic Database Security

Recommendations for Device Provisioning Security

Who s Protecting Your Keys? August 2018

Client-Server Architecture PlusUltra beyond the Blockchain

Codebook. Codebook for OS X Introduction and Usage

Remote Desktop Security for the SMB

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Crypto meets Web Security: Certificates and SSL/TLS

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

Securing Internet Communication

Lecture 3 - Passwords and Authentication

Copyright ECSC Group plc 2017 ECSC - UNRESTRICTED

Practical Issues with TLS Client Certificate Authentication

Accessing CharityMaster data from another location

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013


GLOBAL PAYMENTS AND CASH MANAGEMENT. Security

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

Security and Privacy

Five steps to securing personal data online Gary Shipsey Managing Director

Client Portal FAQ's. Client Portal FAQ's. Why is the Portal more secure?

Locking down a Hitachi ID Suite server

Transcription:

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA CTO Office www.digi.me another Engineering Briefing

digi.me keeping your data secure at all times ALL YOUR DATA IN ONE PLACE TO SHARE WITH PEOPLE WHO YOU CHOOSE SECURELY HELD IN YOUR OWN ONLINE STORE SO NO-ONE CAN RUN AWAY WITH IT

Introducing the digi.me technology Digi.me applications run on your mobile and desktop computers to let you see and use all your online data. The app has a secure connection to a Cloud service that fetches all your online data and moves it into you personal online storage. The app does everything for you and the digi.me company never sees, touches or holds your data. We empower you to hold it and use it yourself. online services your app collects data from APPLICATION digi.me applications run on your device and securely asks the cloud to fetch your data from all your online services and save it in your personal online storage service THE CLOUD cloud computing power that fetches all your online data for you CLOUD STORAGE digi.me apps ask the Cloud to fetch your data and store it here in your cloud files, like Dropbox, OneDrive and Google Drive (whichever you choose)

Design System security architecture The overall solution has been designed to ensure all your data is never passed from one place to another in plain-text, it is always encrypted to a high standard. Data is only stored in your storage areas, there is no digi.me storage. All data stored is encrypted Secure connection Secure connection Secure connection CLOUD PROCESSING digi.me cloud processing is created on demand and can only be initiated via a request from an authenticated user APPLICATION digi.me applications authenticate their user with a long high-entropy password and unlock the credentials stored securely on the device to request external services CLOUD STORAGE You select your own cloud storage and all data held is encrypted and moved on demand to applications and cloud processing in encrypted form

Risk the things we design our products against The attacks on our security will come from people who have the skills, the motivation and resources required to break many security systems, so we design and build our systems to withstand them. Skilled We assume all hackers we need to worry about are skilled and aware of the latest security vulnerabilities and attacks occurring in the global market. Motivated We expect any hacker to be persistent and motivated sufficiently to stretch our security designs and implementations to the limit. Resourced We design and build all our systems to withstand the considerable onslaught possible with modern attacks by people with significant resources available. Encryption of files and secret keys It is essential to use high quality encryption methods to secure data, but to also make sure that there are no shortcuts and weaknesses in the methods chosen. Security of data in flight When our apps share data over the internet they always use SSL, the padlock connection class you know from your browser. We configure it to only use the highest security settings. Designed for the onslaught Modern cloud systems like the ones our app uses, are not just cracked via security breaches, they can be attacked by floods of fake traffic and exploratory connections looking for chinks in their armour. We design and build against all these.

Passwords great passwords are a key to security 60 Seconds Typical time to hack any file encrypted with simple PINS Weeks/Months Typical time for well resourced hacker to break a single file encrypted with digi.me long word passwords LOCKED AWAY ENTER PASSWORD 1 2 3 4 MONKEY PERISCOPE Whenever you run your digi.me app you want all your data to be available. Since your digi.me app stores it for you securely in your cloud you must supply your secret password to unlock the data The secret of good security is good password choice, so it s important you choose a good password that is also easy to remember If you choose simple 4-digit passwords then the effort a good hacker will require to crack the encrypted files in your cloud storage will be measured in seconds, it really is not very secure We allow you to create memorable passwords that have many letters in them and we use cryptographic algorithms that are proven to generate encryption keys that take months or years to crack

Encryption our apps protect your files Secure Storage When you use digi.me apps all your data is securely held on the cloud storage service of your choice, whether it is DropBox, Google Drive, Microsoft OneDrive (or other secure storage services we will add over time) Unique Keys All the files our software imports from your online data services are stored securely. They are encrypted with a set of keys and ciphers that come from international banking standards Key Manager When your digi.me app accesses your files in your cloud storage it is able to decrypt them because your secret keys are secured on your mobile device. It does this by holding them in a protected vault on your mobile that is secured by the digi.me password that only you know

Add a Data Source your data secured on your storage Select a Service When you use our apps you have the choice to select which sources of data you would like your personal digi.me app to collect and manage for you Make Request Your app makes a request to your online service so that you can log-in to it and confirm we are allowed to collect the data from it for you Request Approval Your app then connects to your favourite online cloud storage library to safely save all your data for you. Its in your storage not ours, because we don t have any Security Profile Your Facebook account allows you to approve apps like digi.me to access it remotely. It issues a special security token that only your digi.me app can use each time it wants to access your social data

Getting DataSets all files are encrypted with a unique key Store as Social data Posts Comments LIBRARY SOCIAL MEDIA : FACEBOOK Your digi.me data is securely held in your own cloud storage service in encrypted files, each with a completely unique key. This means that anyone who ever breaks one key, only ever gets one file. Which means it is extremely hard for anyone to attack and unlock all your data. The Twitter key only fits the twitter file The Facebook key only fits the Facebook file SOURCE DATA

Secured Library the cloud synchronises all your data ENCRYPTED IN THE CLOUD All your data is fully encrypted in the cloud. Every file has its own key that can only be unlocked with the secret master key that is unlocked by your password PASSWORD IS A KEY When you first open your digi.me app you enter your password to unlock its master encryption key and enable it to then access all the keys it needs to use the storage and synchronisation services UNLOCK YOUR APP The app can then internally gets the file keys it needs to open up the online storage where your files are securely held and ensure your digi.me app can access all the encrypted files

Synchronisation the cloud synchronises all your data all your online services social, health, finance, shopping, entertainment All your data from each service is stored in once place SYNCHRONIZATION SERVICE This is the cloud service your digi.me app runs for you. It never looks at your data or stores any data about you. Its only job is to run a synchronisation of your data in your online services with all the files you store CLOUD STORAGE SERVICE This is the storage service you have chosen to hold all your data securely. It is read by your digi.me apps to provide all the services you need and love

Encrypted all files are viewed after being decrypted with their unique key Extracting Encrypted Data Your digi.me files are securely held in your own cloud storage service and all files are encrypted and decrypted, each with a completely unique key MONKEY PERISCOPE ACCESS LIBRARY ACCESS DATA VIEW DATA Your digi.me app must be running and you must have logged in to unlock the encryption keys from the internal storage vault The password unlocks the key to access the pcloud library The password unlocks the key to unlock the key for the documents that hold the data you want The unlocked data is then presented to the application

Secured all apps use doubly secured SSL connections When you log-in to digi.me apps they retrieve all your data from the Cloud Storage using a secure connection and the personal data files are also sent over in a fully encrypted form. We use the industry standard padlock connection called SSL and we additionally apply extremely strict filters to ensure every request that reaches our systems is completely valid and is not the result of attackers guessing or trying to brute force our security. Encrypted Decrypted SSL Connection digi.me app to cloud storage connection is to the industry s highest specification We employ industry leading filters to check every request is completely legitimate We use rate-limiters to prevent exhaustive searches trying to guess passwords Every file your digi.me app reads from the cloud is decrypted once it arrives on your mobile. The app unlocks the encryption keys it needs using your master Password Key the Monkey Periscope Triangle one

Security Model Our Products Must be Proven Our systems are independently tested regularly and monitored continuously for changes and weaknesses THREAT MODEL SECURITY REQUIREMENT We assume all major attack tools and methods will be used, including but not limited to: Man in the middle (MITM), SQL injection and interlocution Certificate forgery and replay attacks Volume (denial of service) attack and brute force/fuzzing attacks Application reverse engineering and corruption Known vulnerability profiling Skilled We assume all hackers we need to worry about are skilled and aware of the latest security vulnerabilities and attacks occurring in the global market. Motivated We expect any hacker to be persistent and motivated sufficiently to stretch our security designs and implementations to the limit. Resourced We design and build all our systems to withstand the considerable onslaught possible with modern attacks by people with significant resources available. Firewalled All remote access must be via commercial firewall (Checkpoint) and integrated threat monitoring and profiling (Splunk) Strict SSL We require all SSL implementations to use Pinned Certificates from trusted root authorities and all HTTPS connections to explicitly control known configuration risks (including ECDH curve selection, header controls and Cypher Suites) Rate Limited We require all API access to data request services to be rate limited to prevent brute force and fuzzing attacks Swagger Definitions We require that all public facing API are protected by strict Swagger definitions that explicitly define valid inputs in full RegEx format. Authentication We require all API access to be via valid user identifiers Encryption We require strong key management RSA- 2048 and strong crypto (AES-256) for file content encryption. This includes any encrypting databases on devices and memory databases in cloud services Crypto code libraries We require all crypto libraries used in implementation to be from proven sources that have been hardened by significant time in pubic use. Crypto verification We require all crypto based code elements to be verified by a full suite of known good and bad content. Deployment verification We require all deployed crypto/security components to be verified live in use via acceptance test AND continuous verification of certificates and open network services

THANKS FOR WATCHING Visit Us www.digi.me

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback