Unbound Security Blog

In today’s age of Cloud and mobile first, creating and maintaining infrastructure manually across hyper scalers and on-premises is no longer sustainable. The ever-increasing business demand to release more frequently further complicates this, with application and infrastructure changes coming in at break-neck speed. Stability

The European Union’s General Data Protection Regulation is the most influential privacy law in the world. It is inspiring privacy laws far beyond Europe. In addition, GDPR is also having a  a global effect on how cryptography is used for data security. What

Decisions have consequences.  Somewhere in my formative years the decision rule that “you are free to make the choice … but not free to choose the consequences” became lodged in my head. Some choices have inconsequential ramifications (e.g., what flavor of ice cream to buy thi

Authentication is hard. Users aren’t great at remembering passwords, and even if they are, hacks and other vulnerabilities can still happen. In recent years, application developers have started to implement additional features like two-factor authentication to help protect user accounts from unauthorized acces

As a technology leader, some of the most important and impactful decisions your organization will rely on you to make concern the security of your organization’s infrastructure and applications. Today’s enterprise systems rely on encryption to protect data. Encryption keys are what al

Telecommuting, working out of coworking spaces, working from home a couple of days a week, and the support of the increasingly international mobile professional were common themes before the pandemic swept across the world in early 2020. The office still held pride of

If you were to look up the term, “developer”, in the Marriam Webster dictionary it says, “a person or company that develops computer software”.  While true, this is a rather simplistic take in today’s world where developers are the very heart of IT.  Today’s

Coupled with the many advantages brought by cloud computing and the growth in digital content, virtualization is critical to any enterprise that is looking to reduce fragmentation and allows IT Managers and CISOs to employ techniques that will ensure policy enablement and the prot

Cloud services enable customers to host servers, data, and run business and productivity applications. Going with the cloud fast tracks time to market, reduces the maintenance burden on overworked IT professionals, and provides access to software stacks that were only viable for very large organizations in the on

The introduction of new norms such as remote work, bring your own device (BYOD), and  the compounding growth in digital cloud-based assets, has further complicated the enterprise space and, consequently, enterprise security. Traditional perimeter security, which tends to focus on safeguards at the entrance of a privately owned network to secure it from hacke

On October 4, 2021, a rather misfortunate event occurred  that nearly stopped the social world from turning.  Well, not really, turning but it did wreak havoc across the social and investment spheres. Facebook and its allied portfolio of services – Instagram, WhatsApp, Messenger, and Oc

For any business that mandates operational agility and the utmost security, adopting Modern IT is a must.  Infrastructures built on modern IT enable organizations to take advantage of innovative new technologies and approaches, that will also enable them to span across geographically distributed on-pre

In today’s digitally driven world, the need for businesses to secure their infrastructure, applications, data, and secrets has become a daunting and necessary task. The ever-changing evolution of cybersecurity threats and the growing need for security knowledge means that many organizations lack the experien

Financial institutions rely on cryptography to meet many compliance goals, including internal control and satisfaction of regulatory mandates. If an institution is meeting a compliance goal, it should be able to persuade a third party, such as an auditor, of that success. If

At first glance, encrypting data at the application level may seem like the best strategy for securing data. It requires you to implement specific data protections within each application rather than simply encrypting all data on a disk, database, or file system. Wouldn�

Is your organization’s access control up to date?  No…wait.  Let’s rephrase that a bit: is your organization prepared to handle what may be the extreme security challenges of the already very unsettled and uncertain 2020s? Not the Same Old Security Landscape The major securi

Moving to the cloud usually brings several advantages, such as flexibility, scalability, and cost-effectiveness. However, it also results in multiple security challenges – the main one being how the cryptographic keys are managed between existing infrastructure and cross cloud(s). To address these challenges, two

The level of security provided by a cryptographic system mainly depends on the cryptographic algorithms put in place and the keys used to encrypt the data. However, the former is less of a concern as almost every other enterprise uses secure algorithms such as AES and RSA to protect data, and thes

Our recent blog on the best practices for code signing illustrates the evident tradeoff between security and functionality amongst the different approaches most commonly used by organizations. However, with the ever growing need to defend against software supply chain attacks, security leaders should consider advancing their security strategy to include a solution that coexists with their existing cryptographic infrastructure and mitigates

Smart Cards have been in use for decades, and they have been a reliable means of providing authentication in organizations for a long time. Normally, these cards are used as a form of two-factor authentication. The cards store a user’s cryptographic key and other

In today’s modern IT environments, code is distributed in a variety of forms. From standard software packages for Linux, Windows, MacOS and Java, to mobile apps, firmware, virtual machines, containers, and it’s even embedded in Microsoft office documents.  What are the existing approaches for verifying that the deployed code is legitimate so that threats such as supply chain attacks can be mitigated?�

With the exponential growth in digitized content and the need to encrypt everywhere, authenticate anywhere – a cloud shift is top of mind for any organizations.  For SLED accounts however, they are met with the resistance of legacy processes and purchasing behaviors that limit an

Tokenization and encryption are the main technologies used to secure sensitive data such as credit card numbers. These two security standards are used to secure sensitive data that can be used to prevent financial fraud. Beyond that, they help satisfy the regulatory requirements such as those under PCI DSS, GLBA, HIPAA-HITE

Financial institutions are subject to legal, operational, and accounting mandates that the institutions perform as intended. Increasingly, those mandates are met through competent management of cryptographic keys and resources. But competent cryptographic management requires agile solutions that enforce policy, stay ahead of new at

The importance of encryption and tokenization technologies rose to new heights during Covid-19 due to the uptake of remote collaboration tools while employees worked from home. Along with a widespread increase in reports of cyber-attacks since the pandemic began, Zoom landed themselves in hot water last year when it reve

When an autonomous car has to decide to swerve left or right to avoid hitting a pedestrian, milliseconds separate life and death.  When data captured in remote locations—an oil rig, an outback mining operation, a satellite—needs to be processed, bandwidth matters.  System architects have several deployment op

The United States and the European Union are at an impasse over the transfer of private EU data to the United States for processing. This conflict may often be resolved with advanced technology.  Political Differences Caused the Rift  The clash between the EU and t

Many businesses, organizations, and government agencies were already deep into digital transformation efforts before the health pandemic of 2020 hit, forcing an even more rapid pivot to online ordering, remote education, home delivery, and remote and distributed work models. Business processes that were being tr

Organizations today have put in place several cybersecurity technologies that aim to protect the organization from outside threats. However, cybercriminals over the past few years have been using sophisticated attacks that counter incident responses. These attacks are mainly aimed at supply chains, and they don’t on

With the continuation of WFH initiatives and the increase in digital content, businesses everywhere are more empowered than ever about migrating their business operations to the cloud. This is majorly due to the fast-paced growth of digitization, virtualization, and mobile technology, as they provide b

Maju Sama-Sama is Google Indonesia’s motto, and it means “advancing forward together”— a statement heard broad and wide when announced by Google in June of 2020.  The commitment made to Indonesian developers and enterprises by Google is highlighted across the mainstream media outlets. 

Cloud services have reformatted how organizations deliver IT, pushing the on-premisess model out of favor for many. With no more server farms to provision nor data centers to build, organizations of all sizes and types can rapidly acquire and deploy software capabilities to all employees wher

Cryptography, in its simplest definition, generates code that allows data to be kept secret. And at the core of cryptographic operations is the creation of a key that is used to encrypt and decrypt that data. The challenge of both generating cryptographic algorithms and p

A common challenge application architects and developers face is the need to encrypt application data. As more attacks penetrate secure networks, we see that the standard perimeter and network protection is no longer sufficient. Today, the common recommendation is to encrypt the data

Multi-factor authentication has become a crucial layer of security in today’s increasingly unsecure world. However, while organizations can use several methods to set up two-factor authentication, SMS OTP (one-time password) seems the de-facto standard. This verification method works by sending an SMS wi

Are you one of the many enterprises that is facing difficulty with keeping your data on the cloud – or on multiple clouds? You’re not alone.  With the new push to all things digital and need to support an enterprise that is mostly WF

Identity is a foundational aspect of security. If we don’t know who is asking for a service, we can’t know whether or not they are authorized to access it. For this reason, humans need to authenticate before accessing anything. As humans, we are

Cloud computing has arguably been the biggest tech innovation of the past two decades. Clouds have enabled disparate teams to collaborate on projects; have enabled both consumers and businesses alike to pare down their hardware; and have characterized an evolving culture of work-from-anywhere. It

If there’s a term often heard at our Unbound office corridors and many a Zoom meeting, it’s FIPS 140-2. Never heard of FIPS? Then be warned. I am going to take you down a decades-long journey. What is FIPS and Who is it

If there is one constant in the tech news, it is the reality of the varied sorts of individuals and countries who are all trying to steal the most valuable data generated and used by enterprises. When you think about the many defense-in-depth security a

In an interview on 60 minutes on April 11, 2021, the Federal Reserve Chairman Jerome Powell stated cyberattacks as the major risk to our economy today. In answer to a question about the probability that a crash like 2008 will happen again now, Powell

The importance of cryptographic key management and protection is well known. All of cryptography relies on secrets and keys, and these need to be managed as well as kept out of the hands of attackers. Due to this, solutions for key management and protec

It’s an interesting time in the world today.  We were plagued by many distractions over the past year; COVID-19, a shifting political climate, and a long-awaited demand for equitable sociocultural enhancements. Now, my statement does not mean that I see these things as true dist

It is with great pleasure that we announce the Unbound CORE platform, our next generation solution offering that delivers comprehensive cryptography orchestration for enterprises. This new offering marks a major shift in our approach as a company and how we support the evolution of cryp

Encryption has evolved significantly since the first signs of it in 1900 BCE. The one unifying trend? The need to keep secrets, as can be seen in how encryption has evolved over the years. If we go back in time, it is clear that e

Cybersecurity professionals not only have to worry about the increase in security breaches and attacks that have dominated the news in recent weeks; they must also contend with the persistent feeling of not doing enough, risking too much, and overall cyber burnout. When

When my co-founders, Prof. Nigel Smart and Guy Peer, first founded Unbound and our cryptography orchestration platform that enables organizations to protect and manage keys of any type in any environment, it was a result of years of research on secure multiparty computation

Mimecast reported yesterday (January 12, 2021) that attackers had compromised a certificate used to authenticate some Mimecast services to Microsoft 365 Exchange. They haven’t released many details, but it seems that the private key used to authenticate Mimecast products to Microsoft 365 was br

On January 5, 2021, several US government agencies formally blamed a nation-state entity named “Cozy Bear” – widely thought to be of Russian origin – for infiltrating at least 18,000 US-based private networks and government agencies. The attack resulted in the distribution of malwa

Researchers from three universities in Europe (Austria, Germany, and the UK) have recently published a new attack on Intel chips, called PLATYPUS. Not to be confused with the well-known monotreme, this PLATYPUS is a new side-channel attack that is worth taking note of. In this blog pos

As our digital footprint continues to grow even more rapidly by the expanding remote work world, more and more enterprises have shifted their focus to the cloud. For those with heavy investments in on-premise infrastructure, hardware security modules (HSMs), or even apps partial

As we head towards the start of a new year and begin our planning cycles, we do this with renewed confidence in our leadership in cryptographic solutions. I am pleased to announce that we have just closed a Series B investment led by Evoluti

There are very few scenarios where security is more important than cryptocurrency in the world of digital assets. If the key protecting a digital asset is compromised, then it’s game over. At the same time, trading digital assets will only enter the mainstream wh

The setting of multiparty computation (MPC) is one where a number of distinct, yet connected, computing devices (or parties) wish to carry out a joint computation of some function while preserving certain security properties in the face of adversarial behavior. The basic idea

Cryptography forms the basis of much of our digital infrastructure and the services built around that infrastructure. Whether it be about accessing mobile phone networks, our online or ATM accessed bank accounts, paying for something online, or the task of passing through automated passpor

In security, a “root of trust” is an element that can be trusted and then used to ensure that the entire system is secure. In cryptography, it can be used to mean many things, but the most basic root of trust is that cryptogra

When you think “authentication,” what comes to mind? For most security professionals, authentication = passwords, and the many security issues which passwords have created over the years when verifying identity. Password-driven security has always incurred a bad reputation. This is primarily due to

Let’s play out a scenario: you’re a mid-sized organization (or larger) dealing with cryptocurrency and blockchain keys – and you must keep them secure. Your organization has decided not to develop its digital asset security infrastructure internally. The next natural option? Security-as-a-Service vendors

In Bitcoin and other cryptocurrencies, the use of hierarchical deterministic wallets (HD wallets) is a widely accepted practice. Loosely speaking, such wallets work by having a single master key (or master secret) and then deriving all keys from the master key. Types of Deriv

The world is in the grip of a pandemic that has shut down the economies of all countries, imposed restrictions on freedom of movement, and more importantly is leading to the deaths of thousands of people. The problem is that the virus can be c

In April 2020, over 4 billion people are under a form of shelter-in-place or stay-home orders worldwide due to the coronavirus pandemic.[1] With work-from-home as the new normal, videoconferencing application Zoom has become the preferred platform – experiencing a spike from an aver

Secure multiparty computation, otherwise known as MPC, has been studied in academia for decades, taking it from theory to a practical technology. As a result, it is now being used commercially to solve different privacy and security problems. In this blog, we will describe what multiparty computation is and what security proble

Scenario: You’re a CISO looking to secure your financial services organization’s digital assets — and secure them effectively and efficiently for the long term. The risks: Cryptocurrency breaches and hacks, a history of rogue insiders pilfering funds in your industry, and customer trust

This is the eighth and last blog in a series aimed at explaining the growing use of MPC and threshold signing to protect cryptocurrencies. In the previous blog posts in this series, I described the use of MPC and threshold signing for protecting cryptocurrenci

If you’re managing a custodian service, you may be feeling a new wave of change starting to impact your business. Long gone are the days of strictly physical asset protection, investment, and transfer; and with blockchain and cryptocurrency adoption on the rise, the latest ad

This is the seventh blog in a series aimed at explaining the growing use of MPC and threshold signing to protect cryptocurrencies. The rest of the blog posts in this series can be found at the end of this article. In the previous b

A new paper by researchers at KeyFactor shows how an extremely high number of RSA keys on the Internet can be completely broken, in a very short time. Out of 75 million RSA certificates scraped from the Internet between 2015 and 2017, a whoppin

In the first five blog posts in this series, I described the use of MPC and threshold signing for protecting cryptocurrencies, along with its main features and properties. In this post, I talk about the importance of proofs of security in this domai

A new attack on SGX, called Plundervolt, works by playing around with the clock speed and voltage to the chip in order to induce an error in the computation that can be used to extract cryptographic secret keys. To an ordinary person, this sounds

When software developers want to sign their code, they need to generate a code signing public/private key pair. They then give the public key and the organization’s identity information to a trustworthy CA. The CA verifies the authenticity of identity information and then i

This is the fifth blog in a series aimed at explaining the growing use of MPC and threshold signing to protect cryptocurrencies. In the first three blog posts in this series (Shamir Secret Sharing and Quorums, Threshold Signature Schemes, Additional Properties of Threshold Signing) I

This is the fourth blog in a series aimed at explaining the growing use of MPC and threshold signing to protect cryptocurrencies. In the first three blog posts in this series (read Shamir Secret Sharing and Quorums, Threshold Signature Schemes, and Additional Properties of Threshold

This is the third Cryptocurrency Protection blog in a series aimed at explaining the growing use of MPC and threshold signing to protect cryptocurrencies. In the first two blog posts in this series (Shamir Secret Shaing and Quorums and Threshold Signature Schemes), I describe

As we have seen in previous blog posts, multisig and threshold signatures are essentially just different ways of achieving the same goal – only an authorized subset, or a quorum of parties can generate a (new) valid signature, and any subset of parties that does not constitute a quorum cannot. However,

This is the second blog in a series aimed at explaining the growing use of multiparty computation (MPC) and threshold signing to protect cryptocurrencies. In the first blog post in this series, I described why key protection alone is not enough for protecting cryptocurren

Cryptocurrency began as a venture of the anarchist underground. In 2009, Satoshi Nakamoto’s genesis block debuted with text referencing the front page of the Times, and the January 3 headline about bailouts. Crypto arose as the ultimate antithesis of the traditional banking system and

This is the first blog in a series aimed at explaining the growing use of MPC and threshold signing to protect cryptocurrencies. Beyond Key Theft As we all know, one of the primary features of cryptocurrencies and blockchain-based distributed ledgers is that operations are irre

What is MPC? Secure multiparty computation (MPC) is a technology that enables different parties with private inputs to carry out a joint computation on their inputs without revealing them to each other. For example, it is possible for two people to compare thei

Ever wondered how it’s possible to hack a hardware security module (HSM)? ​We recently had the opportunity to chat with Dr. Fotis Loukos, researcher at the Aristotle University of Thessaloniki and Director of Security Architecture at SSL Corp.  We also spoke to him about standardization testing

Digital Asset Custody When it comes to secure custody solutions for cryptocurrency and digital assets, the golden era of hardware is on its way out. On the surface, HSMs remain popular for institutional cryptographic key custody, blockchain or not – and cold wallets reign supreme in crypto-enthusiast culture on Tw

Hardware Security Modules (HSMs) are physical boxes that carry out cryptographic operations, and never reveal the keys inside. They are designed to have very high security, and as such, are used to protect an organization’s most valuable cryptographic keys. Due to their long hist

Gluing the terms software-defined and cryptography together in one phrase may seem counter-intuitive at first. Just like the realm of networking where the software-defined trend first gained momentum, cryptography has firm roots in hardware. To be more specific, purpose-built hardware has been the

It was revealed two weeks ago that hackers had broken into computer giant ASUS’ servers and compromised their code signing keys.  According to Kaspersky Labs, ASUS’ software update system was hacked and used to distribute malware to about 1 million Windows computers. The malware was

Blockchain breaches and cryptocurrency heists continue to change in 2019 – from the exchange hacks we know to a new, scary brand of theft from rogue insiders. The latest victim of the rogue insider trend is Bitthumb, which suffered its third hack in

Hardware Security Modules (HSM) have been the financial sector’s go-to key protection strategy for the past two decades. Multi-Sig has become the default choice for crypto-native institutions that want to secure cryptocurrencies and blockchain transactions. Both are well-known and well-documented – but have many disad

Most exchanges — fiat or cryptocurrency — maintain an operational strategy that involves aggregation of funds from multiple consumers’ accounts into a single higher-level account. In the cryptocurrency space this is known as a ‘co-wallet’ strategy. By means of introduction, the co-wallet strategy ass

Compliance with privacy and security regulations is an essential part of an organization’s operational process. In the financial industry, the decision to use encryption is often mandated by one or more of the regulations that the organization is subject to. Below, we review

Encryption is a crucial component of enterprise security as it keeps data private and secure, provides authentication, and ensures regulatory compliance. The security mechanism does this by ensuring data in transit and storage remains protected even in the event of a breach as perimeter

As of May 25th, the effective date of GDPR inception is just around the corner, we decided to take a closer look at how encryption can be leveraged to achieve GDPR compliance. What is GDPR? The General Data Protection Regulation (GDPR) harmonizes data protec

The recent discovery of Spectre and Meltdown has once again highlighted the fact that we have a huge trust problem in our systems. In an idealized view of the world, software provides isolation between different processes, VMs, and so on, and this isolation c

As many start to realize the damaging potential of a major security breach, different sets of vault-like tools begin to emerge in the Cloud-Native eco-system. Logical vaults, as their physical predecessors, securely store the secrets while within the vault. They encrypt the data