What do Cossack Labs do?
Cossack Labs create data security tools and services for software developers. We provide sophisticated cryptographic defences for modern systems, without sacrificing security or usability. Our core technologies are available as open source software and we provide separate commercial licensing and support services. We are a privately funded, British company headquartered in London, England. Our R&D team is located in Kyiv, Ukraine.
Why is data security important?
The complexity, extent, and pervasiveness of modern software environments present broad attack surfaces and desirable data targets. Reducing the number of attack vectors requires security in both design and implementation for which the necessary skills are both scarce and costly.
At Cossack Labs, our vision is to improve data security by applying the best practices to specific threat models and making the software that achieves this widely available and easy to use.
Why are you focusing on cryptography for data security?
Cryptography provides a secure basis for data access control and authentication that eliminates many attack vectors. Without access to the relevant cryptographic keys, attacks based on other system vulnerabilities will not expose the secured data.
Why are you building tools for developers?
We believe that it is the best way to improve data security in the real world.
Cryptography is hard to do right and it becomes useless or even dangerous if done incorrectly. We believe that focusing the efforts of our cryptographers and security engineers on building high quality, easy-to-use security tools enables application-oriented developers to focus on their main goals while being confident that what they are building is secure.
What projects are you currently working on?
Our Themis cryptographic services library was developed to underpin more sophisticated security tools. In turn, Themis benefits as our needs for its services clarify and grow.
Built on Themis and focusing on threats associated with typical database and application server configurations, our Acra product is a database protection suite built for encryption of sensitive data and intrusion detection.
Acra offers a wide range of features for data compartmentalisation and threat detection. Consistent with our aim to reduce the effort and cost of enhanced data security, Acra is designed to have minimal impact on the existing application code, data flow, or database schemes. Acra was released in March 2017 and supports PostgeSQL databases and typical web application development environments such as Python, Ruby, and PHP.
Our Hermes and Toughbase products are designed to further extend the underlying capabilities of Themis to provide end-point protection, fine-grained access control, and associated data audit based on public key infrastructures and zero-knowledge protocols. Hermes and Toughbase are currently in product development and are designed to realise our goal of providing a sensitive data lifecycle protection infrastructure with a minimal attack surface.
What qualifies you to develop data security tools?
That's a good question... and the one that anyone working in this area should answer.
In short, our team has extensive experience in designing and developing mission-critical applications. These include cryptographic solutions for mainstream mobile devices, large financial institutions, and governmental digital signature and electronic document flow projects.
Specifically, our approach and team members bring together a number of key attributes:
- high-quality formal cryptographic / data security education;
- experience in developing complex cryptographic products certified by governmental security-regulators, and a long track record of corresponding security audits;
- experience within governmental regulatory bodies of auditing and certifying cryptographic products;
- previous successful contributions to open source cryptography (GOST3411, DSTU4145 implementations for Bouncy Castle);
- our cryptographic design approach is based on best practices: using the existing algorithms that are optimally combined to generate novel applications of tried and tested components;
- our management has significant experience in planning and controlling the development of cryptography-related products while maintaining quality and scientific consistency as top design priorities.
Of course, it would be a grave error to think that our work could not benefit from corrections and improvements which is why we are happy that our code is open and available for audit and validation by the community. We are quietly confident that our knowledge and experience will make the need for corrections rare and their resolution fast.