| Audience: technical | ||
|
|
SecurityWeb applications security is a key business issue and in some cases the most significant threat for organizations.Organizations have more at stake than intellectual property, customer, critical client data and trade secrets being housed on internal and external Web applications. A security breach can cause tremendous damages to the company's reputation, the brand and business itself. As a result, the importance for Web applications security is growing. How can I make our Web applications hacker proof? You probably heard the phrase "Any computer can be compromised". This phrase accurately reflects the yet-unsolved security problem of protecting servers and clients against penetration attacks. So, as many people realize too late, the question "How can I make our Web applications hacker proof?" is the wrong approach. In our approach, called ZSentry, the security of our solutions is assured not by some fictitious "Fort Knox" type of security that would (vainly) promise to prevent all attacks. Using the ZSentry technology, such attacks are rendered truly impossible by the sheer lack of existence of user data to attack, anywhere. The ZSentry technology allows our solutions to work without ever exposing the users’ private data, passwords, keys, or data. Therefore, ZSentry’s user data and keys are never in danger from outside or inside attacks, neither in the servers providing the service nor in the user’s desktop or laptop client accessing the service. Even though one can argue that an attack may eventually succeed, for example in the case of an attacker who may even physically walk away with any number of servers, with ZSentry no user data would be compromised. The best defense against data theft is to not have the data in the first place. In IT security terms, ZSentry shifts the information security solution space from the hard and yet-unsolved security problem of protecting servers and clients against penetration attacks to a connection reliability problem that is solvable today. ZSentry provides multiple levels of protection. Unique protection is afforded to customer login data and user keys, which are not stored or made available anywhere. ZSentry allows services to operate with the simplicity of conventional password systems but without their security limitations. Unforgeable (cryptographic) authentication of both the user's name and email address is enforced by ZSentry Desktop. This is digitally equivalent to X.509/PKI but without purchasing a CA certificate, and is provided in order to protect your identity and help prevent spam (by recipients who use ZSentry). If there is an attempt to breach security somewhere (including at a client point), no customer access data or customer data can be recognized or compromised. We call this Software-as-a-Service Sans Target™ (SaaS-ST™). Even though ZSentry security is automated and requires little to no user intervention, humans should not be required to blindly trust computers. To help allay spoofing and phishing concerns we find that it is often useful to provide visual clues that humans can easily verify, in addition to protocols that computers verify. For example, all ZSentry secure pages and messages must begin with https://zsentry.com/, which is a short unique name that is easy to verify visually with no potentially confusing character exchanges (as one could visually spoof https://pineapple.com/ with https://pineapp1e.com/ where the letter "l" has been changed to the number "1"). ZSentry also avoids the "red flags" that are inherent to conventional security technologies, such as the key-escrow weakness in IBE (ie, by design all user keys are known to the administration), notorious lack of usability with PKI, and lack of reliable certificate revocation with PGP. | |
| Technical Notes | ||
Titles and product names are trademarks of NMA, Inc. as described in our Legal Statement. We protect Your Privacy.