What does Cossack Labs do?
Cossack Labs creates data security tools and services for software developers. We provide sophisticated cryptographic defences for modern systems, without sacrificing security or usability. Our core technologies are available as open-source software and we provide separate commercial licensing and support services. We are a privately funded, British company headquartered in London, England. Our R&D team is located in Kyiv, Ukraine.
Why is data security important?
The complexity, extent and pervasiveness of modern software environments present broad attack surfaces and desirable data targets. Reducing the number of attack vectors requires security in both design and implementation for which the necessary skills are both scarce and costly. .
At Cossack Labs, our vision is to improve data security by applying best practice cryptography to specific threat models and making the software that achieves this widely available and easy to use.
Why are you focusing on cryptography for data security?
Because cryptography provides a secure basis for data access control and authentication that obviates many attack vectors. Without access to the relevant cryptographic keys, attacks based on other system vulnerabilities will not expose the secured data.
Why are you building tools for developers?
Because we believe that's the best way to improve data security in the real world.
Cryptography is hard to do right and useless or even dangerous if done wrong. By focussing the efforts of our cryptographers and security engineers on building high quality, easy to use security tools, we believe this enables application-oriented developers to focus on their main goals while being confident that what they are building is secure.
What projects are you currently working on?
Our Themis cryptographic services library was developed to underpin more sophisticated security tools. Themis in turn benefits as our needs for its services clarify and grow.
Built on Themis and focusing on threats associated with typical database and application server configurations, our Acra product is a database protection suite, built for encryption of sensitive and intrusion detection.
Acra offers a wide range of features for data compartmentalisation and threat detection. In keeping with our aim to reduce the effort and cost of improved data security, Acra is designed to have minimal impact on existing application code, data flows or database schemas. Acra has been released in March 2017 and initially supports PostgeSQL databases and typical web application development environments such as Python, Ruby and PHP.
Our Hermes and Toughbase products are designed to further extend the underlying capabilities of Themis to provide end-point protection, fine-grained access control and associated audit data based on public key infrastructures and zero knowledge protocols. Hermes and Toughbase are currently in product development and are designed to realise our goal of providing a sensitive data lifecycle protection infrastructure with a minimal attack surface.
What qualifies you to develop data security tools?
Good question ... and one that anyone working in this area should answer.
In short, our team has extensive experience of designing and developing mission-critical applications. These include cryptographic solutions for mainstream mobile devices, large financial institutions and governmental digital signature and electronic document flow projects.
Specifically, our approach and team members bring together a number of key attributes:
- high-quality formal cryptographic / data security education.
- experience of developing complex cryptographic products certified by governmental security-regulators, with long track record of corresponding security audits.
- experience within governmental regulatory bodies of auditing and certifying cryptographic products.
- previous successful contributions to open source cryptography (GOST3411, DSTU4145 implementations for Bouncy Castle).
- our lead cryptographic designer has previously delivered novel cryptosystems for Android device manufacturers which have undergone significant audits and assessments, both internally and by third-parties.
- our cryptographic design approach is based on best practice: using existing algorithms, combined optimally, to generate novel applications of tried and tested components.
- our management has significant experience in planning and controlling the development of cryptography-related products while maintaining quality and scientific consistency as top product priorities.
Of course it would be a grave error to think that our work could not benefit from corrections and improvements which is why we are happy that out code is open and available for audit and validation by the community. We are quietly confident that our knowledge and experience will make the need for corrections rare and their resolution fast.