Drastic Measures Not Needed with DRaaS

mike-gault“We are seeing 100-year hurricane cycles arrive every two years.”

Mike Gault

Perhaps the only thing worse than a disaster happening is seeing it coming and knowing nothing can be done to stop it. Businesses along the northeastern seaboard had several days of warning before Hurricane Sandy struck, certainly not enough time to implement a disaster recovery plan from scratch. Even more painful is the understanding that some disaster recovery plans would not be enough; physical backup systems in separate geographical areas may have still suffered the same losses as the home site due to the size of the storm.

Most disasters come with no warning at all. Explosions, power outages, and simple equipment failure can cause the same damage. Operations are down, customers suffer, and revenues tank. Once business recovers the harder work of wooing back customers and convincing new ones about the company’s reliability begins.

Simply doubling up infrastructure and creating physical backups is expensive and time-consuming leading to systems that function inadequately when put into use. Cost cutting means doing without applications and information essential to performance. Lack of testing and differences in tools lead to inefficient work practices during the recovery.

Move into the Cloud

Cloud computing and virtual services eliminate a majority of these concerns. Disaster Recovery as a Service, or DRaaS, is a resource-efficient method of allowing business to continue with little to no interruption. Because everything resides in the cloud, no duplicate infrastructure is needed, testing and upgrades are assured, and no applications or information need be out of commission.

DRaaS is a natural extension of the cloud computing phenomenon. Service providers have hardened their security and created tiered services that fit any budget. Companies are embracing cloud computing for a variety of purposes. The flexibility of such services is a huge driver to adoption since only the services needed are active. The rest can be brought online as desired or shut down during idle time.

IT overhead and infrastructure reductions create cash to fuel growth. Cloud services are the perfect vehicle for the rapidly expanding mobile worker and consumer groups. By taking the time upfront to plan and consider operational requirements, disaster recovery can be the key to successful business recovery.

Service Level Agreement Considerations

The Service Level Agreement (SLA) spells out exactly what will and will not be provided with any cloud service. It is crucial to understand the SLA governing disaster recovery, because a disaster is not the time to discover shortcomings in coverage. Performance and productivity need not suffer if due diligence is taken to make a realistic determination of business continuity needs. Planning wisely also keeps SLA costs to a minimum.

Consider these questions:

  • What applications must be included?
  • What operations are essential for service?
  • What information must be easy to access during this time?
  • How often are testing and upgrades performed?
  • What guarantee of data integrity is offered?

A good service provider will have the experience to help answer these and other questions. They should have an excellent understanding of the extent of disaster recovery needed in a variety of industries. Some providers may even specialize in certain verticals, deepening their ability to determine needs and provide suggestions.

DRaaS Benefits Tower Over Risk

If nothing else, Hurricane Sandy brought home the absolute worst that could happen. Fire, flood, and power failures on such a massive scale are unprecedented but not impossible. Disaster recovery is an essential part of business continuity that must not be put off.  The cost of loss far outweighs the cost of DRaaS because, even if such events are rare, all it takes is once. New York Governor Andrew Cuomo said we are seeing 100-year hurricane cycles arrive every two years.

With the knowledge that DRaaS, like all cloud services, is a cost-effective way to relieve the worry of business interruptions, large or small, business owners can put a line through this item on the to-do list. With guarantees of integrity and continuity, resources and energy can be channeled into growing the business and keeping customers happy.

# # #

Mike Gault is CEO of Guardtime, a developer of digital signatures that algorithmically prove the time, origin and integrity of electronic data.  He started his career conducting research in Japan on the computer simulation of quantum effect transistors. He then spent 10 years doing quantitative financial modeling and trading financial derivatives at Credit Suisse and Barclays Capital. Mike received a Ph.D. in Electronic Engineering from the University of Wales and an MBA from the Kellogg-HKUST Executive MBA Program in Hong Kong. You can reach him at Mike.Gault@guardtime.com or visit www.guardtime.com.

eSignatures go Keyless in the Cloud

It has been 12 years since the United States passed a law to facilitate the use of electronic records and electronic signatures. Called the Electronic Signatures in Global and National Commerce Act (ESIGN), its general intent in black and white is quoted in the very first section of the legislation; that a contract or signature “may not be denied legal effect, validity, or enforceability solely because it is in electronic form.”

eSignatures save a lot of waste. No need to get into a car and drive out of your way just to capture a  signature at your attorney’s office or at a bank to settle a mortgage application.

And it’s not too often you hear about a business partnership that seems custom-made for the marriage alter, but these two companies fell for each other on first sight.

One has a mission to ensure the authenticity and integrity of digital data wherever it may reside. The other aims to give legal documents a signing authority.

A Swedish start-up called Scrive  offers their eSignature service that can produce electronic documents that are provable until the end of time. While Guardtime with operations in Estonia, Singapore and California, has “Keyless Signature” technology that gives any kind of data proof of origin and that not a single bit has changed since a specific point in time.

Both companies share a common vector: securing the long-term independent non-repudiation of signed electronic documents.

Says Lukas Duzcko, CEO of Scrive, “Guardtime Keyless Signature integration is key to making Scrive the only eSignature solution in the world that can provide contracts that are enforceable and independent from the existence of Scrive or any other third party.”

Scrive is using Guardtime’s API for integrating the Keyless Signature service with its e-signing service, so that every PDF generated by the system becomes tamper-evident on its own, independently from the Scrive’s platform.

Since Keyless Signatures never expire, the tamper-evidence stays with the signed electronic contract for its entire lifetime.

Case in point is Avanza Bank. When Scrive was asked to produce a bullet-proof e-signing service, the bank asked that many conditions be met:

  • Electronically signed contracts were required to maintain its non-repudiation properties throughout the entire agreement lifecycle, often 10 years or more.
  •  The evidence for contract integrity needed to be independently verifiable by Avanza Bank and its customers with no third-party involvement.
  •  Service needed to be integrated with existing e-signing platform and customized for Avanza Bank’s needs in less than one month.

After researching various PKI-based solutions for data integrity for several years, Scrive teamed up with Guardtime as the only option that could fulfill these stringent requirements for Avanza Bank.

“We have experienced an explosive growth in demand for dematerialization solutions all across the globe,“ says Mike Gault, Guardtime CEO.  “Scrive’s e-signing platform for Avanza Bank is another great example of this trend and we’re happy to be part of it by securing long-term independent non-repudiation for signed electronic documents.”

Data is the new perimeter for cloud security

By Mike Gault, Ph.D.

The cyber security market in 2012 is estimated at $60 billion, yet adding more and more layers of perimeter security may lead to a false sense of security and be completely useless against a determined system administrator working on the inside. The end result is that your data might be secure or it might not – you simply have no way to prove it.

Shawn Henry, FBI veteran of 24 years and now president of CrowdStrike Services had this to say about integrity at the Black Hat conference this year: “These days, you can’t just protect the information from being viewed. You also need to protect it from being changed or modified.”

This leads to the question: Would you know if an attacker or your own system administrator got to your data?

Traditionally, the ‘integrity’ component of the CIA triad of data security [confidentiality, integrity, availability] has focused on protecting the integrity of data. But proving the integrity of data – knowing you have not been compromised – is equally if not more important.

We have been nibbling around the edges of this with checksums and other one-way hash algorithms but have yet to create truly scalable, rock-solid mechanisms to prove integrity.

It’s as though we have taken a car that holds our most precious cargo (our children) and wrapped it with increasing layers of protection but we fail to create a way to monitor the brakes or onboard computers for tampering or other untoward acts.

Data is the new perimeter

Many experts have come to the conclusion that all networks will eventually be compromised, so security should be focused on protecting data and less about the perimeter – i.e., what is required is a data-centric focus on security.

What is needed is an infrastructure that’s designed to deliver digital signatures for data at scale, ensuring that verification of the signatures does not require trusting any single party.

Donald Rumsfeld famously compared the difference between known unknowns and unknown unknowns. Digital signatures that are essentially ‘keyless’ have the power to convert one unknown — “Is my security working?” – to a known: “I have proof that my applications and data have not been compromised and that proof is independent from the people operating those systems.”

So what is a keyless signature? In a nutshell, a keyless signature is a software-generated tag for electronic data that provides proof of signing time, entity, and data integrity. Once the electronic data is tagged, it means that wherever that data goes, anyone can validate when and where that data was tagged and that not a single bit has changed since that point in time. The tag, or signature, never expires and verification relies only on mathematics – no keys, secrets, certificates, or trusted third parties – just math.

And we can all trust math.

About the Author
Mike Gault is CEO of Guardtime, a developer of digital signatures that algorithmically prove the time, origin and integrity of electronic data. He started his career conducting research in Japan on the computer simulation of quantum effect transistors. He then spent 10 years doing quantitative financial modeling and trading financial derivatives at Credit Suisse and Barclays Capital. Mike received a Ph.D. in Electronic Engineering from the University of Wales and an MBA from the Kellogg-HKUST Executive MBA Program in Hong Kong. You can reach him at Mike.Gault@guardtime.com or visit http://www.guardtime.com.