Everyone trusts their own software applications because, well - they are ours and we “know” we got them right. The issue is how to make others trust our applications, especially if the sole purpose of those applications is to protect data.
Security validations and how to conduct them is one of the problems with no simple solution. Secure hardware has been the main answer for more than 20 years.
We can make it easier for others to verify quality and security of IT products or applications. We can define a clean application interface (API), separate the critical computer code into smaller modules that are easier to analyse, or show paths of sensitive data.
clean and simple application interface (API)
separate critical functionality into small software modules
define data flows through the product or application
Once we can define a clear interface and physically separate everything inside this boundary, it is possible to limit the scope of analysis of what is happening inside. Whatever happens, the data will remain inside and will not get compromised. This is why use of dedicated security hardware is far superior to software solutions.
The problem is that use of secure hardware involves hardware devices, which someone has to host, manage, replace, … manage. The use of these devices is not for light-hearted either. One has to have an extensive experience to use them correctly. One also has to have a budget to buy or rent them.
The Enigma Bridge technology solves the cost problem. The service is multi-tenancy while still physically separating user secrets. It features a native web service API and an enrolment process that can be fully automated.
Steve Marshall, Former Head of Security Architecture at Barclaycard
While there is no perfect solution for verifying security, the best current benchmark is an independent validation of the quality of a product or application. In terms of security, there are currently two main standards.
Federal Information Processing Standard (FIPS) 140-2 - implemented by National Instituted of Standards and Technology (NIST), a US government agency, to validate security of cryptographic products.
A successful validation results in compliance with:
Level 1 - lowest level of security
Level 2 - shows evidence of tampering (hosting provider detects)
Level 3 - responds to attempts at physical access (users detect)
Level 4 - highest level of security
An international standard, where compliance is demonstrated by national authorities in Canada, US, UK, Germany, and Spain
A successful validation results in an assurance level (EAL):
EAL1, EAL2 - functionally tested, structurally tested
EAL3 - methodically tested and checked
EAL4 - methodically designed, tested, and reviewed
EAL5 - semiformally designed and tested
EAL6 - semiformally verified designed and tested
EAL7 - formally verified designed and tested