Recently attended an interesting supplier meeting with an organisational called GuardWare, as part of my engagement with smaller suppliers.
Only an hour or so but initial impressions were that GuardWare are bringing together data labelling, encryption and distributed control capabilities to try and address the ongoing thorny problem of how to securely share information with 3rd parties, while retaining oversight of how that data is handled and protected. Clearly flow down of requirements is the traditional approach, but GuardWare have focused on providing tools and capabilities to help your suppliers comply and support evidence collation and reporting.
It would seem to me that in providing such facilities, organisations and derive a number of benefits including:
– Providing a security baseline that raises confidence across the ecosystem;
– Enabling increased consistency across the supply chain, supporting audit and reporting;
– Making it easy for suppliers to comply with your standards, thus enabling suppliers to keep costs down and minimising risks of barriers to entry for your supply chain.
GuardWare recognise that this especially useful in the context of sharing unstructured data with those Small to Medium Sized Enterprises (SMEs) that form a crucial element to your supply chain and have engineered their solution to reflect this challenge.
Key points I picked up on were that the GuardWare solution:
– Uses strong well established commercial cryptographic algorithms and techniques and blends these to deliver its use cases well.
– Architecture seems well thought out in terms of the use cases they promote.
– Is based on a standard server / agent architecture.
– It’s wintel based as it leverages Microsoft crypto functions and capabilities ( e.g. Microsoft Cryptography Next Generation (CNG) function and DPAPI(NG)) and uses local TPM chips to secure local keymat.
– Policy is specified in a hierarchical way but is enforced locally, which is suited to air-gapped and cross domain capabilities
– It supports split key = shared material can be protected such that any one party can remove access rights to all.
– It supports encryption in an offline mode for a defined period of time.
I felt this was an interesting and well thought out capability to help secure data, at the higher end of commercial good practice. We had some interesting conversations around, cryptographic implementation, key management and rotation and I felt they clearly understand their commercial crypto. Crypto is only as good as its implementation and key management. It may help secure things, but if done badly can lead to a false sense of security, or even worse deny access. Its like ransomware, without the option to pay!
In summary, one for further investigation and tracking!
Usual Disclaimer!. This is my personal opinion and does not necessarily represent the views of my employer!.
Original source: LinkedIn