Un(b)locking value in sensitive data
Modern data security is much more than enabling "data at rest encryption" checkbox on AWS S3 or using TLS connection between database and backend. Ten Commandments of Software by the US Department of Defense states that "Data should always be encrypted unless it is part of an active computation", which means that the default state for valuable data should be encrypted, protected from adversaries and insiders alike.
Encryption layer should keep the data usable, products fast & efficient, and the business unblocked. Since 2014 we have been building data security tools and custom solutions from greenfield to "just add encryption".
Typical challenges with data security
//
Developers are not crypto engineers
Many application developers do cryptography wrong: select improper cryptographic primitives, use low entropy secrets, store keys poorly, or even make "home-baked-very-secure" crypto.
//
Key management is hard
Key management flow is more than "how to generate keys and where to store them". It depends on tech stack, product UX, key rotation, revocation and incident response policies, regulations and compliance.
//
Compliance is vague
There is a growing gap between the general compliance demands — which cannot be implemented by a standardised checklist — and the practical implementation efforts. Crypto export regulations and compliance demands are quite far from the capabilities of modern crypto.
//
Attackers are not a myth
Cryptographic Failures is #2 of OWASP Top10 2021. Practical and exploited crypto-related bugs are everywhere: padding oracle, DROWN, CRIME, Lucky Thirteen, ROCA, and many more.
Modern solutions
Novel methods to make crypto more usable
Approaches like searchable encryption (encryption that allows searching for data without decrypting it), homomorphic computations, zero-knowledge proofs, PQC, and so on.
Anonymisation and tokenisation
Combination of encryption and tokenisation gives both flexibility and security, albeit requires certain engineering maturity to support.
Application level encryption
ALE with deep data-flow integration becomes a new norm. Client-side (like in MongoDB) or server-side (like in Acra) encryption allows to encrypt sensitive data before storing in the database.
What we offer
Themis
A cross-platform cryptographic library for mobile, web, and server platforms, which solves 90% of typical data protection use cases that are common for most apps. Themis helps to integrate application level encryption fast and easy.
Read more
Acra
Acra offers a selective and searchable encryption which is easy-to-integrate in already-built infrastructures. Use AcraServer to encrypt database fields “on the fly”, use Acra’s Data firewall and Anomalies Detection to protect against suspicious activity.
Read more
Hermes
A security framework for end-to-end encrypted data flow. Hermes provides cryptographically protected data processing and data collaborating without the need to re-encrypt an excessive amount of data.
Read more
Custom data security engines
Data security is not just encryption: masking, tokenisation, anonymisation, compartmentalisation and segmentation – we suggest the most suitable security engineering techniques aimed at protecting different types of data.
Searchable encryption
Apart from searchable encryption in Acra, we’ve dealt with various searchable encryption schemes from blind indices and bloom filters to homomorphic encryption.
Read more
Multi-layered protections
Cryptography doesn't work alone. Typically, implementing data security requires integration with other security controls: cross-services authentication, API hardening, PKI, access control, audit logging, effective backups.
Security layers for complex use cases
We build data security layers for complicated use cases: encrypted CRDT-based data collaboration, multi-device & multi-user synchronisation, DRM-like protections for TensorFlow ML models, UX-friendly security for apps that work on millions of devices.
SSDLC
We assist your team in setting up and improving the SSDLC process for app development. We help prioritise security features, find appropriate automation tools, and always sync with the latest security guidelines and regulations.
Auditing and reviewing
We perform security audits and design reviews of existing implementations, how your apps protect sensitive data in storage and in transit, perform authentication, protect API, attest devices, and so on.
Have a question? Get a human to answer it!
How we make a difference
Vast experience and expertise
As a cryptographic R&D team, we've built custom data security controls in different contexts, and have vast expertise in understanding practical threat models and failure scenarios, and designing sound security controls against them.
Transparent to you, transparent to users
We build security measures to mitigate core threats of your product, without causing a headache of your developers, without delaying releases' schedule or ruining UX for your users.
Built to last
Our approach is based on backwards compatibility, maintainability and support. You never lose encrypted data because some npm package became outdated.
For innovators, by innovators
We've started Cossack Labs to develop new tools and methods for protecting the data and enabling novel solutions to emerging problems — so that at the edge of your innovation, you’ve already got fitting tools handy.
Contact us
There are many ways we can help: with our products, bespoke solutions, and engineering services. Leave your contact information to connect with our team:
Relevant resources
TLS validation: implement OCSP and CRL verifiers in Go
Most applications use TLS for data-in-transit encryption and every programming language has a TLS support in its ecosystem. TLS was introduced in 1999 based on SSL 3.0. It's quite an old...
Crypto wallets security as seen by security engineers
What can go wrong when you develop a “secure” crypto wallet? How to eliminate typical security mistakes and build a secure app with multilayered data protection against mnemonics leakage...
