Patented Security

sealedcloud-neu-logo-a4-mit-hintergrund-2016

On Your Device

Open Source Software

The device software’s source code is available to the public and may be tested for potential weaknesses any time.

Strong User Authentication:

  • Strong password policy & display of password strength
  • 2-Factor authentication with password and SMS pass code
  • Optional iDGARD Login Card
    (Credit card sized TAN generator)

Protection against Producer Cloud

  • Local view of documents in file systems, that are not synchronized with producer clouds (iCloud, Google Share, etc.).

Secured offline availability of files (Smart Caching)

  • Encrypted memory (AES 256) of downloaded files
  • Offline availability only until end of app session. All local data deleted reliably thereafter

Application Security of Browser User Interface

  • No technology that is, per se, vulnerable to XSS or other attacks
  • No technology that might, per se, enable drive-by attacks

Architecture & Software Design

Encryption & Key Distribution

verschluesselung-und-schluesselverteilung

  • A-rated SSL encryption (key length: 2048 bit), for transfer from device to Sealed Cloud
  • Private key for SSL link connection not in the hands of the cloud service provider (import only upon boot by independent party)
  • Accessible via any browser, no additional software necessary
  • Alert of attempted man-in-the-middle attack via app & browser plug-in
  • No system key: each user set is coded with an own key, generated by user name and password. The keys are not stored
  • Individual AES-256 encryption for each respective file & Privacy Box
  • KNone of these keys accessible by the cloud service provider or application
  • Fully new encryption of Privacy Boxes any time these are closed. Result: box link access by service provider staff excluded technically
  • Invitation of new users & box guests per box link and optional box code

Trustworthy Software & Software Integrity

vertrauenswuerdige-software-software-integritaet

  • TPM & HW based chain of trust covering entire software stack
  • Development and deployment process of externally audited software components & versions in creation
  • Centralized software deployment via NetBoot. Only fully signed stacks bootable
  • Classic trusted software development procedures (peer programming, committer model, etc.)
  • Dynamic software component & operation testing methods (currently in development)
  • Methods of improved trustworthy SW development (e.g. automatic code creation) currently being researched (in cooperation with Fraunhofer AISEC, et al.)

Security against Internal & External Spying

Perimeter Security (Protection against External Attacks)

perimeter-sicherheit

  • Security & data protection as per Federal Office for Information Security’s IT Baseline Protection Catalogs applies to service provider Uniscon and Sealed Cloud infrastructure alike
  • Implementation of respective entry, access,  forwarding, input, assignment, availability, and disconnection control measures
  • Implementation of multi-stage, state-of-the-art firewalls (classic, multi-stage ones plus web app firewalls)
  • Application of state-of-the-art intrusion detection & prevention systems
  • Hardened server OSs
  • Physical network disconnection for boots & alerts and traffic
  • Load sharing without encryption scheduling
  • Electro-optical & electromechanical monitoring of all door, floor, wall, and ceiling systems
  • Electromechanical locks that control access pursuant to Sealing Control policy
  • Recording of all administrator & system activity per WORM technology

Data Clean-up (Triggered upon Internal Attack Attempt)

data-clean-up

  • Uncencrypted data processed exclusively data clean-up area (no persisten memory)
  • Sensor alarm triggers logical & physical data clean-up
  • Data clean-up triggered upon both intentional & inadvertent access attempts
  • Prior to clean-up, current user sessions  first migrated to unaffected Sealed Cloud areas and unencrypted data encrypted and stored
  • Affected segment server data then deleted and servers disconnected
  • 15-second server disconnection reliably deletes all unencrypted data, before granting electromechanical doors server access

Sealed Cloud: Fully Integrated Security

sealed-cloudv-ein-vollstaendig-integriertes-sicherheitskonzept

Sealed Cloud is an integrated security concept, that considers all known attack vectors. To date, iDGARD is the only application worldwide, to ensure such comprehensive protection via Sealed Cloud technology.

More on Sealed Cloud (scientific paper)

System Overview & the Audit Role

system-overview-the-audit-role

Sealed Cloud system illustrating the security concept’s three most crucial principles:

  • Key distribution for connections between user and Sealed Cloud and encryption for the database / file system
  • Protection of unencrypted data in the clean-up areas
  • Static & dynamic auditing and certification by external, trusted inspection agencies

More on Sealed Cloud (scientific paper)

Security Benefits Compared to End-to-End Encryption

security-benefits-compared-to-end-to-end-encryption

iDGARD not only protects the content of communications but also their METADATA:

  • No disclosure of who communicated with whom, how long
  • No disclosure of when a communication took place

More on Sealed Cloud (scientific paper)

EP 2389641 & Other Patents: Sealed Cloud

das-patent-ep-2389641-und-andere-die-sealed-cloud

Trust in state-of-the-art security is based on the security concept’s transparency and its implementation. In combination with independent audit reports and respective certification, our patent applications and patents ensure iDGARD users maximum security and its correct implementation.

White Paper

Sealed Cloud – A Novel Approach to Safeguard against Insider AttacksPDF-Download »

External link to www.tuvit.de

iDGARD Certification Pursuant to Trusted Cloud Data Protection Profile

Article »

White Paper

Check List: Introducing a Cloud ServiceArticle »
Find out more:
Part 3: R&D
R&D
Got questions? Contact us!
Contact