wonderfully unique software solutions

Vendors must clarify how they’re protecting passwords and data, says Keeper CTO

People might now be wondering about the protection on offer from secure vaults and password management providers after the LastPass data breaches, according to Craig Lurey, chief technology officer (CTO) and co-founder at Keeper Security.

And whether stored vault information is defended in the case of a data breach can be down to various factors which should be made clearer to customers, Lurey suggested in this blog post.

“Customers rightly want to understand our protections, in the event that a breach does occur,” he wrote.

At Keeper Security, key points include rigorous password management and enforcement policies strengthened by the way complex hybridised environments and multiple iterations are managed.

“For customers who use a master password to log in, a strong and unique master password is critical, along with the enforcement of 1,000,000 PBKDF2 iterations,” Lurey wrote.

“Keeper administrators can easily enforce master password complexity rules on end-users and iterations in role-based enforcement policies.”

The company says that, for customers deploying Keeper through a single sign-on (SSO) product such as Azure, Okta, Ping, ADFS or other identity provider, master password key derivation is no threat.

Instead, all data encryption uses elliptic curve (EC) keys, with Keeper SSO Connect also being “fully documented and patented”.

Keeper Security therefore offers more detail online, linked to within the blog.

“A detailed description and mathematical proof of the strength of vaults encrypted with password-derived keys versus EC keys is described in Keeper’s encryption model documentation,” Lurey added.

“The Bitcoin blockchain uses ECC-256. This creates a de facto $300 billion bounty on the strength of 256-bit elliptic curves.”

Lurey said that enterprises seeking the best possible security in password management might look at offerings like SSO Connect from Keeper, which also offers “seamless integration” with current identity management stacks.

Encryption of all data, in transit or at rest, is also crucial these days, with control over privacy and compliance requirements retained.

“Customers may host their Keeper tenant in their preferred primary region. Customer data (stored ciphertext) and access to the platform are isolated to the specific region of the customer’s choosing,” explained Lurey.

“All encrypted payloads sent to Keeper servers are wrapped by a 256-bit AES transmission key in addition to Transport Layer Security (TLS), to protect against man-in-the-middle attacks.”

Keys to the cloud – or on-prem

The transmission key is generated on the client device and transferred to the server using ECIES encryption via the server’s EC public key, layering further encryption on top of the data encryption already packaged into the payload, tunnelling direct to Keeper application servers, he said.

Keeper has created an advanced cloud authentication and network communications model built for the highest levels of privacy, security and trust, he maintained, holding long-standing SOC 2 and ISO 27001 certifications. Its solutiojns are also PCI DSS certified.

The vendor also performs quarterly application penetration testing of all its products and systems with the likes of NCC Group and Cybertest, including red-team style pen tests of internal and externally-exposed systems with full source code access.

“Keeper has also partnered with Bugcrowd to manage its bug bounty and vulnerability disclosure program (VDP),” Lurey said.

Anyone with questions is invited to email [email protected] for further information, he said.

( Photo by Jason D on Unsplash )

Recent Articles

RealVNC remote-access highlighted by six finalists for Raspberry Pi prize

RealVNC, maker of RealVNC Connect, has named six finalists for this year's RealVNC Raspberry Pi Prize with winner and runners-up to be...

Cyberattack climate entails customised firewalling, notes Stormshield

Firewalling at the edge is no longer enough so organisations increasingly need to combine suitable location with segmentation and zero-trust strategies that...

Palm vein biometrics market set to explode this decade

The market for palm-vein based biometrics has been forecast to expand in line with a compounded annual growth rate of 22.4% from...

Automox targets unsigned scripts with PowerShell signing capability

Endpoint management company Automox is unveiling Worklets Signing, which complements Worklets and Ask Otto with a view to helping companies dodge the...

Arista warns SMBs to take precautions against edge threats

Arista Networks, the vendor of Arista Edge Threat Management (ETM) has warned that SMBs aren't always aware of the extent of targeting...

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Weirdware monthly - Get the latest news in your inbox