wonderfully unique software solutions

Vendors must clarify how they’re protecting passwords and data, says Keeper CTO

People might now be wondering about the protection on offer from secure vaults and password management providers after the LastPass data breaches, according to Craig Lurey, chief technology officer (CTO) and co-founder at Keeper Security.

And whether stored vault information is defended in the case of a data breach can be down to various factors which should be made clearer to customers, Lurey suggested in this blog post.

“Customers rightly want to understand our protections, in the event that a breach does occur,” he wrote.

At Keeper Security, key points include rigorous password management and enforcement policies strengthened by the way complex hybridised environments and multiple iterations are managed.

“For customers who use a master password to log in, a strong and unique master password is critical, along with the enforcement of 1,000,000 PBKDF2 iterations,” Lurey wrote.

“Keeper administrators can easily enforce master password complexity rules on end-users and iterations in role-based enforcement policies.”

The company says that, for customers deploying Keeper through a single sign-on (SSO) product such as Azure, Okta, Ping, ADFS or other identity provider, master password key derivation is no threat.

Instead, all data encryption uses elliptic curve (EC) keys, with Keeper SSO Connect also being “fully documented and patented”.

Keeper Security therefore offers more detail online, linked to within the blog.

“A detailed description and mathematical proof of the strength of vaults encrypted with password-derived keys versus EC keys is described in Keeper’s encryption model documentation,” Lurey added.

“The Bitcoin blockchain uses ECC-256. This creates a de facto $300 billion bounty on the strength of 256-bit elliptic curves.”

Lurey said that enterprises seeking the best possible security in password management might look at offerings like SSO Connect from Keeper, which also offers “seamless integration” with current identity management stacks.

Encryption of all data, in transit or at rest, is also crucial these days, with control over privacy and compliance requirements retained.

“Customers may host their Keeper tenant in their preferred primary region. Customer data (stored ciphertext) and access to the platform are isolated to the specific region of the customer’s choosing,” explained Lurey.

“All encrypted payloads sent to Keeper servers are wrapped by a 256-bit AES transmission key in addition to Transport Layer Security (TLS), to protect against man-in-the-middle attacks.”

Keys to the cloud – or on-prem

The transmission key is generated on the client device and transferred to the server using ECIES encryption via the server’s EC public key, layering further encryption on top of the data encryption already packaged into the payload, tunnelling direct to Keeper application servers, he said.

Keeper has created an advanced cloud authentication and network communications model built for the highest levels of privacy, security and trust, he maintained, holding long-standing SOC 2 and ISO 27001 certifications. Its solutiojns are also PCI DSS certified.

The vendor also performs quarterly application penetration testing of all its products and systems with the likes of NCC Group and Cybertest, including red-team style pen tests of internal and externally-exposed systems with full source code access.

“Keeper has also partnered with Bugcrowd to manage its bug bounty and vulnerability disclosure program (VDP),” Lurey said.

Anyone with questions is invited to email [email protected] for further information, he said.

( Photo by Jason D on Unsplash )

Recent Articles

Cross-browser testing provider BrowserStack named Microsoft ‘partner of choice’

Software testing platform provider BrowserStack has announced a strategic partnership with Microsoft to support Visual Studio App Center users transitioning to BrowserStack...

JetBrains rolls out full-line code completion for its IDEs

Developer tools company JetBrains has added to its AI-enablement tools with full-line code completion for its integrated development environments (IDEs), separate to...

OpenText renews X12 supply-chain data standards partnership

Enterprise information management (EIM) software vendor OpenText is renewing its partner licensing agreement with the X12 electronic data interchange (EDI) standards organisation.

LiveAction NPM performance extended for Cisco unified server users

Network intelligence from vendor LiveAction has been certified to work with high performance Cisco servers, increasing availability of its packet data and...

CoSoSys endpoint DLP helps protect NHS ambulance services

Endpoint Protector by CoSoSys was deployed to control removable devices and enforce endpoint encryption wherever some 4000 staff at NHS South East...

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Weirdware monthly - Get the latest news in your inbox