(Source from https://medium.com/cryptyk/data-sovereignty-93356bfda591)
In this article we tackle the concept of achieving complete ownership of your data, or “data sovereignty”. Data must be available online, at all times, and free from threat of loss. It must also be secure from hackers and all viral threats, both known and new. It must also be secure from the companies that store it and any external organization or government. This complex challenge can not be met by existing technologies, and the threats to it are continually evolving.
Cryptyk is a new, single vendor enterprise cloud storage and security platform that uses innovative hybrid blockchain technology to accomplish this seemingly impossible feat for the first time.
Defining the New Holy Grail: Why Data Sovereignty?
By definition, sovereignty implies absolute ownership and autonomy. According to Merriam-Webster, sovereignty is freedom from external control.
Data Sovereignty is achieved when you have complete ownership of your own information and data, free from unwanted access by external actors or the danger of erasure or loss. It is the knowledge that your data is always available to you (24/7 uptime), protected, and you have complete control over access to it from anywhere in the world.
The concept of total data sovereignty may seem desirable to certain individual consumers, but it is absolutely critical for business and enterprise data. This is especially true for organizations that deal with sensitive information such as those in the realms of banking, finance, health, legal and consulting. Furthermore, organizations involved in expensive research or developing unique IP require absolute data sovereignty at all times.
True Data Sovereignty is only achievable on the cloud.
It is well understood that files can be destroyed or damaged if we alone are responsible for their physical storage. The cloud’s purpose was originally a failsafe against hardware failure, accidental erasure, loss or theft.
Today, large cloud storage providers work to provide security and ensure that your data is never damaged or lost. Files are theoretically always accessible, protected and private. Working with files directly on the cloud platforms also comes with the significant value-adds of distributed computing power and organization wide file collaboration. At the same time, it represents a reduction in cost and responsibility for internal IT departments.
The current cloud is not secure
It would seem that data sovereignty has already been achieved by use of existing cloud storage providers. The unfortunate reality is that current cloud solutions and technologies are not secure or reliable enough to fulfill any of those requirements, especially for enterprise clients. The serious vulnerabilities (discussed below) require a completely new technological approach to solve.
Malicious and technical vulnerabilities to Cloud Sovereignty
First, there are the malicious vulnerabilities to cloud storage already well known to most cloud users. Combating these vulnerabilities is the focus of the storage providers’ daily efforts.
External threats and Viral Threats to data
Since the beginning of the internet there have been external threats (hackers and malicious organizations) and viral threats (which include malware). The cloud provides a new, open platform for these threats to target. To be truly secure on the cloud, your data must be protected from being stolen or copied, but also from being corrupted or made inaccessible by something like ransomware. Cloud storage providers do their best to prevent breaches but every week we learn about massive, successful hacks (Equifax, Netflix, Target). Viruses and malware can now propagate on cloud folders and infect entire organizations. As cloud providers can only prevent against identified and catalogued viruses, “zero day” attacks by previously unknown viruses can cause severe damage to organizations before being caught. To achieve true data sovereignty, there must be a passively hack-proof cloud storage solution that is also secure from all known and unknown viruses.
Operational Threats to data access
Less thought about are the threats to cloud storage provider uptime: Is data stored in a way where it is guaranteed to always be up? A DDoS attack occurs when a giant network of infected devices (bot network) floods storage providers with a coordinated attack. The overwhelming traffic prevents users from accessing their data, and hackers can hold entire organizations hostage for hours. More rare, but equally damaging, is when the storage companies themselves experience internal hardware failure. In 2017, human error caused Amazon Web Service’s S3 system to go down for 4 hours. This affected more than 140,000 websites (Slack, Netflix, etc) and cost $150 Million dollars in lost revenue for their clients. Loss of access to data, for any reason at any time represents a threat to data sovereignty.
To address each of these diverse threats requires a revolutionary new storage method, as existing technologies are continuously breached, even for large enterprise clients (Equifax, Target, Netflix, Yahoo). To add to this challenge, there are another set of vulnerabilities to address. These exist outside of the technical battle between the cloud companies and external malicious forces.
Blind Trust is a vulnerability to Cloud Sovereignty
One of the most complicated problems with achieving true sovereignty is that our use of the cloud is predicated on trusting the parties we allow to store, move and access our data. Can users trust the companies and individuals that are granted access to their data?
Storage provider trustworthiness: When using cloud storage providers, we expect them to keep data backed up, secure and maintain access up-time. Another thing we almost unconsciously expect, is that the the providers store our data without compromising our trust. The public’s trust of a cloud storage company is based on good PR, market share and company image. However, it is important to ask the question “Imagine if google/AWS/Box decided to look at your files, how would you stop them or even know there was a breach of trust?” These companies have proven track records of reliability, but true data sovereignty requires a situation free of blind trust.
Government trustworthiness: We also turn a blind eye to the fact that governments that have jurisdiction over cloud storage companies can exert pressure. Imagine if the government demanded your storage provider to share access to your files, or required your internet provider to open a window to your data traffic. The ability to put pressure on a company to reveal customer data for any reason is a threat to sovereignty.
Internal trustworthiness: Finally, can individuals or organizations completely trust the people you give access to all or part of your data? This goes beyond just disloyal employees and includes contractors, external companies, consultants, and even IT administers.
Achieving security independent of blind trust in an organization or government is an entirely separate obstacle to data sovereignty. This challenge is one of the key obstacles preventing all enterprise from utilizing the cloud.
Cryptyk’s Hybrid Blockchain solution achieves true data sovereignty
Cryptyk was created to achieve the goal of true data sovereignty for it’s users. It is the first single vendor platform to offer enterprise quality cloud storage with a full integrated security suite. Cryptyk’s hybrid blockchain technology is built by integrating two separate, decentralized platforms: VAULT and SENTRY. Together, these platforms create a passively secure, “safe to hack”, architecture with guaranteed uptime. The concept is simple:
Cryptyk VAULT is a decentralized cloud storage platform. Files stored with vault are encrypted once, then split into five separate pieces (using intelligent randomization). Each piece gets a full, second encryption, and is then stored on five of the major independent cloud storage providers or nodes — Google, Amazon, IBM, Rackspace and Box. Only a user with specific keys, which are stored offline, can assemble the pieces correctly and undo the double decryption.
VAULT’s role in achieving Sovereignty is:
Each storage node is only storing a twice encrypted shard of a file, with no way of identifying what it is or where the other pieces are.
Backups of each shard are created using erasure coding and distributed amongst the different nodes. Thus, even if a whole node is compromised, files can be pieced together using backups to fill in missing pieces.
The file shards and shard back ups can only be found, decrypted and assembled by someone with the keys used to encrypt and split them.
Cryptyk SENTRY is a robust decentralized security platform that seamlessly protects VAULT. At its core, it is a secure portal that uses blockchain technology to control permissions and record all user activity and access to VAULT’s files and data. SENTRY is not just a blockchain, it is a full security suite with a wide array of features.
SENTRY’s role in achieving Sovereignty:
File access permissions are granular, controlled and immutable.
All file access and user activity is permanently recorded on the immutable (unchangeable, trusted) blockchain ledger.
The blockchain’s perfect record of all access allows real time auditing of all activity by AI and administrators.
With a perfect ledger of all activity, (including that of administrators), real time proof of security can be checked and suspicious activity or behavior is picked up by AI who learn what normal operation looks like.
Another function of SENTRY is to act as a secure portal to interact with your data. Popular software (Excel, Word, Asana) will plug directly into SENTRY’s API so data is manipulated without leaving the platform, and never stored vulnerably on a local hardware devices.
Only users control the keys to their data
The keys required to reach VAULT through SENTRY are stored offline, on fingerprinted hardware devices and physical backups. Cryptyk can keep copies of these keys for failsafe reasons, but all Cryptyk users will have a “zero knowledge” option where they generate and keep the only existing copy of keys. In that situation, even Cryptyk would not be able to locate, assemble or decrypt user data within their storage accounts.
Cryptyk achieves this level of security with less than 200 millisecond access latency, which is comparable to current cloud providers and allows real time file access and collaboration organization wide, anywhere on the globe.
Cryptyk’s hybrid blockchain architecture addresses each of the complex data sovereignty vulnerabilities, malicious, technological and trust:
Cryptyk’s Hybrid Blockchain technology is uniquely proof against the malicious threats:
Hackers can never access usable data
Cryptyk VAULT’s distributed storage technology completely removes the profit from any successful hacks. Each cloud node only has one, twice encrypted piece of every file it stores, with no discernable way to locate the other pieces. Even if a hacker managed the nearly impossible task of compromising every storage node (google, box, IBM, etc) at the exact same time, they would have isolated folders with thousands of file shards without any identifier or relationship. Cryptyk believes breaches are inevitable, and that sovereignty is only achieved when a breach can not compromise your data in any way.
Viruses and Malware are instantly nullified
If a virus gets past Sentry’s robust security features, and makes it onto Vault’s storage nodes, it is also encrypted, randomly split into 5 pieces, and encrypted again. It remains in pieces, effectively frozen until a security sweep discovers it. Even a ‘zero day’ occurrence (previously unknown virus) gets no further than the file it infected. Malicious coding can not spread, copy itself, infect other files in the cloud folders, or open back doors. This is a particularly effective strategy against ransomware, which encrypts entire folders and drives and holds them hostage unless hackers are paid a fee.
All popular, third party enterprise software will plug directly into SENTRY’s API. In this case, all user file interaction will occur in a secure environment, minimizing the opportunity for infection. If there is an infection that begins to spread, say a “zero day” infected file that is downloaded to more than one device, AI monitoring SENTRY’s blockchain can detect suspicious behavior and initiate quarantine procedures while restoring the file from a previously backed up version.
Server uptime is guaranteed
VAULT stores every file in 5 pieces, each randomly distributed to one of the different storage nodes. A security method called erasure coding creates backups of each of the 5 pieces and distributes them among the other 4 nodes. If an entire storage node goes down for any reason (Bot attacks, hardware failures, etc), files on Cryptyk can be seamlessly assembled from those backup shards. Even if two nodes failed simultaneously, Cryptyk users would not notice a change in data accessibility or speed.
Cryptyk removes the reliance on blind trust from storage companies and governments
Even the storage providers are unaware of what files they have
Pieces of files stored with Cryptyk are distributed across massive, enterprise accounts that Cryptyk maintains on the cloud storage nodes. If any of the storage nodes themselves opened up Cryptyk’s folders, they would encounter the same situation hackers do: useless piles of unidentifiable, twice encrypted file shards.
This creates a situation of total security on the storage nodes. Furthermore, Cryptyk can switch between nodes seamlessly if a storage node stops leading a market in uptime or reliability. Cryptyk users will also have a certain amount of selection in which nodes they use (some Cryptyk clients will want to host one or two of the nodes on their internal systems).
The Cryptyk platform itself is immune to external pressure
The popular messenger app Telegram, after closing a $1.7 Billion dollar ICO, chose expulsion from Russia rather than sharing their user data. Data sovereignty can not be reliant on a company making such a consequential decision on behalf of their users.
Facing the same problem hackers and storage nodes would have illicitly accessing your files, a government could not forcibly access any useful data even with a subpoena to Cryptyk or any of the storage providers.
To achieve further sovereignty, the servers that host the Cryptyk platform itself will be distributed internationally. Cryptyk’s platform was designed by a PHD Quantum Physicist, a leading white hat hacker in fintech and the individual who digitized the entire New York Stock Exchange. (Dr. Adam Weigold, Raghu Kotha, and Dennis McMasters respectively). Part of the team’s vision was that no entity or government could compromise the server architecture that ran the Cryptyk platform.
In the end, even if that architecture was breached, with Cryptyk’s “zero knowledge” option there would still be no way to force access to a user’s data without the user’s unique keys.
Cryptyk prevents intercept threats to data in motion
A final requirement for sovereignty is to prevent internet service providers or malicious third parties from compromising Cryptyk user data while it is in motion. SENTRY enforces-end to-end encryption for any devices that access VAULT as well as several other security best practices to act as a secure portal. At no point will Cryptyk’s user data be vulnerable to interception.
NOTE: Cryptyk will meet all Member-country requirements for international use. How one Cryptyk user shares their keys will not affect any of the other users. This makes it the ideal platform for all enterprise, such as American banks that require to certain oversite to be FDIC complaint, or Chinese companies that have to work with party representatives.
Cryptyk has a set of proactive tools against internal threats
Perhaps the most difficult problem to solve concerning data sovereignty is dealing with parties that work with or within an organization. Companies that use cloud technology give varying levels of access to a complicated array of employees, contractors and consultants. Here, Cryptyk SENTRY’s blockchain technology plays the key role.
SENTRY protects access to VAULT files with highly granular permissions that can not be falsified. File access can be restricted by user, but also a variety of advanced features. For example, file use can be restricted by time (business hours), geographic location, or even require several parties to respond to a text message to open the file or share it (2FA).
Most important, the immutable ledger (perfect record) of all activity on SENTRY allows for real time auditing by an AI component. Over time, the AI components will learn what normal file access patterns are, and be able to proactively spot false accounts, unusual behavior or other irregularities. This gives IT departments proactive tools to detect malicious behavior, while also holding the actions of the IT admins accountable.
More than just a blockchain technology, SENTRY acts as a full security suite, at the center of an evolving cyber security ecosystem. Developers will be incentivized to develop the platform’s many security features and innovate new ones. There will also be financial incentive to maintain third party plugins, so eventually all common software will interface directly with SENTRY’s API. With such a robust portal, IT admins will be able to enforce good behavior, end to end, and files will never exist off of Sentry’s secure platform. (Read more about sentry on the Cryptyk white paper).
True Data Sovereignty is solved
Cryptyk’s technology has achieved a unique feat in the history of the internet and cloud storage: Total data sovereignty, with real time access latency. VAULT’s distributed, passively “safe to hack” architecture combined with SENTRY’s blockchain technology ensure that user data can never be revealed or copied, nor damaged, destroyed or held ransom.
This true data sovereignty allows individuals and enterprise clients to securely use the cloud for the first time. For more information please read the Cryptyk white papers, or join our communities.
Click here to join the conversation and get updates directly to your inbox
Discuss and follow
Join our growing community discussion and track updates on our channels.
We aim to grow our community via transparent, grass root movement. Our goal is to be the gold standard in the cyber security world and community. If you believe in our project, and want to get involved spreading the word, check out our bounty program and earn free tokens from pool of 2.5 million CTKs by sharing us on your networks. See the Cryptyk Bounty page for more information