Lior Levy

Lior Levy

Lior is the Director of Enterprise Solution Architecture at Unbound Tech. Previously the Product Manager at Cyren, and PreSales Training Manager at SafeNet (acquired by Gemalto), Lior has over 12 years of experience developing solutions for security vendors and security system integrators.

Is Crypto being left out of the “Software-Defined” Movement?

The term “Software-defined” might be ubiquitous, but it is far more than a buzzword. It represents one of the largest transformative shifts in how we do infrastructure since the introduction of datacenters. In this era of everything becoming Software-Defined, we’re seeing technologies that were traditionally tied to hardware being released from their hardware restraints. These technologies can now be completely managed in software, giving organizations the scalability, usability, elasticity, and customizability that would have been impossible with dedicated hardware.

The list of “software-defined” technologies is endless: Software-Defined Data Center, Software-Defined Networking, Software-Defined Storage, Software-Defined Memory, etc. The list goes on and on.

But there is one player that is conspicuously absent from the list: Crypto.

 

Why is crypto being left out of the Software-Defined Movement?

SW-Defined Crypto

Why hasn’t crypto followed the software-defined trend? Crypto has remained steadfastly coupled with hardware because until now (until Unbound) there was no software solution that could give the same level of security that dedicated hardware could. Hardware was required to secure crypto keys as it provides a tamper resistance environment which can physically protect keys. In addition, dedicated hardware carrying out crypto operations does not run arbitrary code and is therefore resistant to malware infection. So, while everything else goes “software-defined” the world of crypto is still stuck with hard tokens, smart cards, HSMs (Hardware Security Modules). These hardware solutions are very secure – BUT are rigid, inelastic, very hard to scale, expensive to maintain, deploy and provision and are challenging to work with in cloud environments. Using software-only solutions would greatly reduce costs, simplify maintenance and shorten provisioning time but has only been possible with a significantly lower level of trust.

 

Previous attempts at pure-software solutions typically failed for one of two reasons:

  • No Clear Guarantee of Security – Traditional software-based solutions for key protection do not provide clear guarantees for the security of the key. Each solution offers different security levels: in the less secure solutions the keys are merely stored in disk and/or memory, while at the more secure end of the spectrum the keys are protected using obfuscation algorithms and whitebox cryptography techniques. While those methods make accessing the keys somewhat harder for an attacker, their heuristic nature makes it almost impossible to know what level of security such a solution provides or how to compare two different solutions using such techniques. In addition, all such methods operate on a “cat and mouse” model. For example, attackers are continually breaking the constructions, after which developers must release a fix on that latest method, and then the attackers will break that construction, and so on. Determined attackers break these techniques relatively quickly, and it is very hard to know in advance when such attack will occur. This endless repetitive process is highly cumbersome, and often requires constant, frequent and unexpected investments in update, deployment and testing of new code to thwart the latest threats.
  • One Solution DOESN’T Fit All – Some pure-software crypto solutions have managed to securely break free from hardware, but in doing so, they’ve also broken free from the global standard, which is critical for the industry and particularly for crypto.  They might only support encryption, but not digital signing. Or they may support asymmetric algorithms, but not symmetric algorithms.  Or they may only support their own proprietary crypto algorithms, but not standard algorithms. This approach ends up creating usability problems, rather than eliminating them.

 

What does the Future Hold for Software-Defined Crypto?

To see what the future holds for software-defined crypto, we can look to the pioneers leading the software-defined crypto space. Unbound Tech is proud and excited to offer the world’ first Virtual Hardware Security Module (vHSM), which delivers the security guarantees previously only available in hardware, thereby freeing organizations from making a tradeoff between security and usability. Unbound’s vHSM is based on standard usage of cryptography and supplying all the standard crypto APIs. Our key management technology is built for the future – supporting the massive scale, speed and agility requirements fueled by the cloud, mobility, IoT and blockchain revolutions.

Take the next step and learn some more: 

See a demo to learn how Unbound’s Key Control (UKC) lets you maintain full control of your private keys in any public cloud environment. Watch On-Demand Webinar> 

Learn about Unbound’s software-defined crypto which gives key protection without compromise. Get the whitepaper >


 

Subscribe to BLOG

shares