Bill Hackenberger (VP of Engineering at Vormetric) and Steve Pate (CTO at Vormetric) quit the company in 2009 and have now started…an encryption company. Steve Pate also claims to have been a founder of HyTrust, which could explain why they have named their new company High Cloud.
They are offering “early access to a Beta version of our solution” (early Beta = Alpha?) so they are far from ready for prime-time, but they appear to be in the right mindset and offer a variation of proxy architecture, similar to HyTrust. Here is a diagram presented by the CTO in 2008 that has a dedicated/physical key management server.
They list the capabilities that auditors have been asking for from cloud providers for years…the following functionality, for example, maps to some of the old text of PCI DSS compliance requirements.
- Selected elements of the VM are encrypted.
- VMs are encrypted in storage, in transit, and in backups.
- VMs are protected in the data center, outside when run on a remote server, or in the Cloud.
- Keys are not visible to anyone.
- Separation of duties guarantees that no single person can cause catastrophic damage.
- Key rotation to satisfy regulatory bodies is performed automatically without the need to shut down the VM.
Although I have to say, the line “keys are not visible to anyone” is poorly written and suggests vaporware. I would have expected better given how long the founders have been in the industry and the text provided by regulatory bodies. Here are the PCI DSS Requirement 3.5 testing procedures, for reference.
- 3.5.1 Examine user access lists to verify that access to keys is restricted to the fewest number of custodians necessary
- 3.5.2.a Examine system configuration files to verify that keys are stored in encrypted format and that key-encrypting keys are stored separately from data-encrypting keys.
- 3.5.2.b Identify key storage locations to verify that keys are stored in the fewest possible locations and forms.
The regulations will specify need-to-know, not invisible to anyone. I also noted a mistake in reference to the ISO requirements. It’s still early so maybe these issues will be worked out by the time they have a non-early Beta available.
Tooo late. Trend Micro already has a great solution in the market. SecureCloud.
How is that different from saying IBM already had a great solution in the market for PCs?
Everyone knows success is not just based on who is first to market…as proven by America’s long legacy of copying ideas from Europe.
Looks like HighCloud’s product was announced this week and the free version is up for download on their site. http://www.highcloudsecurity.com/blog/highcloud-security-unveils-virtual-machine/