10. April 2009 by Bryan Glancey.

  One of the important differentiators in the INFOSEC market is certifications. Certification don’t, in themselves, make software better - they just remove risk by forcing independent review of products and technologies.

 We all know, now-a-days, with tainted milk from China and poisoned pet food how important it is to have some controls in between you and lowest cost manufactures. A number of security solutions have gone this way, with very little separation between the people creating the solutions to protect us and the people that we want to be protected from.

  Call it Globalization, call it out sourcing, call me crazy but just as we are combating botnets and espionage from China a great number of people are having their security application written their on the cheap. The wonderful thing about Standards like The Federal Information Processing Standards (FIPS) or Common Criteria (CC) or even NSA Code reviews is that someone is ‘Watching the Watchmen’ (’quis custodiet ipsos custodes’ for you Watchmen Fanatics).

  You would not believe the number of ’security’ companies that don’t keep up their certifications even companies that are supposed ‘industry leaders’. Their FIPS is lapsed, they have no Common Criteria - or it’s a joke of one (make sure you look at the evaluation level and protection profile).

 SO net net — CAVEAT EMPTOR , there area number of people out there that would like nothing more then to sell you not so protective protection. Check their certifications yourself on www.nist.goc/cmvp (FIPS Cryptography certification) and www.commoncriteriaportal.org (for Common Criteria). Take note that you can click on their certification and see exactly what they are claiming they do (in FIPS it’s called security Policy in Common Criteria it’s called Protection Profile) - you will find for yourself that it’s often a complete joke.

  The more everyone learns about security, the faster vendors can be ordered to make secure software. Perhaps someday it will be CAVEAT  VENDITOR - let the Vendor beware - and companies will produce secure and independently verified software that truly delivers protection.

Posted in Main | Print | No Comments »

10. April 2009 by Bryan Glancey.

 You have all heard me speak of the importance of DARTT (Data at Rest Tiger Team) in bringing much needed standards to the Data at Rest Encryption market. Several people have asked me how it all got started, There is an excelent history of DARTT published by David Hollis in this presentation http://www.infosecaward.com/docs/DARTT_June12_08Briefing_ExecutiveAlliance.ppt - but the inital launch was a result of Office of Management and Budget Memo 06-16 which said:

In an effort to properly safeguard our information assets while using information technology, it is essential for all departments and agencies to know their baseline of activities.

Posted in Uncategorized | Print | No Comments »

10. April 2009 by Bryan Glancey.

We have all experienced it, you buy something and it’s not exactly the way it looked on TV. One detail or another was glossed over, forgotten, not taken into account.
Security is often just such a gloss over factor. What type of encryption, whose implementation of the cryptography, has the encryption been independently verified, does the system provide management, does the system provide auditing…. ON and on, 500 opinions, spinmasters unite and argue why their coke is better than the others pepsi….. Everyone buys their superbowl ad to promote their exploding pinto and no one knows what to do in the end..
Luckily for us all, The most interested person in security is setting an international and comprehensive standard for this. The US Government has established a team of experts in security to create the definitive list of what is secure and what is not secure in USB encryption.
The Data-At-Rest-Tiger-Team (DARTT) has established a panel to review the myriad of solutions in this area and separate science fiction from science fact. They have already published a ground breaking standard for Data-At-Rest encryption for information on hard disks; and they soon will be extending that guidance to USB Keys.
You can follow the competition, selection criteria, and winners on the US Federal Government Site: (link provided because the google search returns 1000’s on people trying to say they are security technologies) https://www.fbo.gov/index?s=opportunity&mode=form&id=dc9f632a73767835a88495473a1ca2e7&tab=core&_cview=1

They have reviewed all the major technologies in this area and selected a number of technologies that are secure and manageable. My Company, Mobile Armor, was one of them – I’m proud to say (full disclosure given).
If you have any questions about the technology, all of the DARTT information is a great place to start. They already did all their homework and offer it up to you free of charge. You may find it the best guidance as to scalable and secure USB other Data At Rest.

Bryan Glancey
CTO & Co-FOunder Mobile Armor
bryan@mobilearmor.com

Posted in Uncategorized | Print | No Comments »

10. April 2009 by Bryan Glancey.

 Welcome to the Data-at-Rest (DAR) web blog. There is no shortage of uninformed opinion on the Internet regarding Data Security, this blog was formed to separate the snake-oil from the science.

  Please feel free to share your experiences as well as questions about Cryptography, Data Encryption, Full Disk Encryption, File and Folder Encryption, FIPS, Common Crtieria, DARTT, FDE, FFE, RSM and any other of the myriad of surrounding issues.

Posted in Uncategorized | Print | No Comments »