Blog

On blockchain and GDPR As cryptographers who develop data security tools that heavily involve cryptography (surprise surprise), we get asked a lot of questions about “crypto”. Unfortunately, not “cryptozoology”* crypto, but neither it is cryptography. Very often it is about blockchain. More and more tools claim to have “unprecedented levels of security” or “GDPR compliance & security by design” when using security designs based on blockchain and distributed consensus systems.

2018 was as exciting as it was busy — 7 new versions of Acra Open Source accompanied by Acra Live Demo and Acra Engineering Demo, launch of DGAP security consulting and security training services, over a dozen articles in the blog and Medium, a whole new Documentation Server, talks at conferences all over the world, and many more interesting events. Stats According to our GitHub statistics, 2018 resulted in:

We believe that everyone should be able to create secure applications and protect users’ privacy. That’s why our main cryptographic components are open source and developer-friendly. But open-source would be nothing without external contributions and feedback from users. We would like to publicly celebrate our open-source contributors and users who challenged us to make our open-source offerings more robust by asking hard questions, pointing out usability problems and potential usage patterns we were not aware of before.

In our company, we’ve succeeded in clearly articulating the deliverables of our products and consulting projects. Building a network of great partners and delegating the work out of range of our primary competencies to them helps both parties concentrate on what’s we’re best at. However, there are a lot of challenges in building distributing the work between different types of security specialists. Larger part of the market is still struggling to show a viable differentiation for the customer looking to mitigate various infosec-related risks.

Distributed tracing is incredibly helpful during the integration and optimisation of microservice-rich software. Before implementing tracing as a publicly available feature in the latest version of Acra, we did a small research to catch up with current industry standards in tracing protocols and tools. In this article, we’ve decided to explain, why tracing is a very useful thing and how you can benefit from using it in your projects.

The main new features of Acra 0.84.0 are based around the DevOps’ needs – they eliminate the need to have a deep knowledge of secure development and cryptography to protect your data using Acra. Logs, metrics, and full-scale tracing will help during the deployment and usage of Acra. You can export them to your favourite tools (i.e. ELK, Prometheus, Jaeger) and monitor Acra’s load, performance, and behaviour, in real-time. Great things are planned for the next few releases.

As the days were getting shorter, our pull requests were getting longer, and here we are now, proud to present Acra 0.83.0. Its distinctive new feature is the AcraRotate utility, which allows you easily rotate the storage keys on a regular basis or perform an emergency key rotation if you’ve detected (or suspect) a compromise of the client app. SQL filtering got more flexible — the new 6 patterns (including SUBQUERY and LIST_OF_VALUES) allow deep customisation for configuring the accepted queries and blocking malicious requests.

A methodical software developer’s perspective on mapping privacy regulations to changes in the database structure, updates in DevOps practices, backups, and restricted processing. GDPR and software development After 2 years of fearful anticipation, GDPR is finally here, in full effect starting with May 25, 2018. A considerable number of clients who've entrusted their data to our solutions keep asking a lot of questions in one or another way related to GDPR.

Poison Records in Acra Intro When naming our special type of data containers created for raising an alarm within Acra-powered infrastructures, we were sure we’ve seen the term “poison records” used elsewhere in the same context. This particular technique in out of the box solution was first offered by us (if it wasn’t, let us know! We'd like to know more about their backstory :)). In a way, poison records are very much like passive honeypots, but their mechanics of work is completely different.

Summer moves on, Acra improves. This corridor of eclipses and Mercury retrograde gave life to the new version of Acra. Whole lotta updates to the already existing infrastructural elements. What else is new? AcraTranslator, for that matter — a lightweight server that receives AcraStructs stored anywhere and returns the decrypted data. Previously Acra was closely tied to the database infrastructure, but AcraTranslator is a tool that allows storing AcraStructs wherever it is convenient — as cells in a database or as files in a file storage (local or cloud storage, like AWS S3).