Scram Software’s CEO, Linus Chang, came by to introduce his company, discuss the ongoing problem of data breaches, and to describe its approach to addressing data breaches and its new products. I’ve spoken with Chang on many other occasions and have always found his straightforward approach to problems in the world of IT pragmatic and useful.

Who is Scram Software?

Scram Software, an Australian company, believes that “The cloud is inherently dangerous. The risks of hacking, intellectual property theft, sabotage, accidental deletion, copyright infringement and personal safety issues (identity theft, stalking) often go unprotected.” It says that its mission is to “secure the world’s data in the cloud.”

The company’s focus is building technology that addresses the following needs: confidentiality and privacy; assuring data integrity and authenticity; making sure that data is available when it is needed; that the data is in a useful format when accessed; and only authorized individuals are allowed to “control” the data.”

To that end, the company is developing and will soon offer the following products:

  • ScramBox supporting encrypted file storage and synchronization
  • ScramFS, a “cloud friendly” cryptographic (that is encrypted) filesystem
  • ScramGet, a tool that makes it possible for enterprises to download and locally backup their cloud data

Ongoing problem of data breaches

Chang recited a frightening list of recent data breaches, who has felt the impact, and tried to segment these breaches into addressable categories. Although not a comprehensive list, Chang mentioned that a personal data about large portion of the population in many countries has been compromised. The list he discussed included the following breaches:

  • Americans — 198 Million (roughly two thirds of the population) individuals’ names, birthdays, addresses, telephone numbers and voter registration data have been compromised
  • Filipinos — 55 Million (roughly half of the population) individual’s names, addresses, place of birth, height, weight, gender, marital status, parents names, email addresses, passport number have been compromised. 15.8 Million fingerprint records were stolen as well.
  • South Africans — 30 Million (roughly half of the population) individuals’ names, identity numbers, income, gender, employment history, telephone numbers and home addresses have been compromised.

Chang went on to point out that these represent only the data breaches that have been discovered and have appeared in the media.

I mentioned that I had been notified that a breach of a U.S. governmental system included my personal data as well as my fingerprints. Furthermore, the protection offered to ameliorate the impact of this data breach has been of little value.

Why are data breaches hard to address?

Chang reviewed the recently publicized breaches and placed them in the following categories:

  • Cloud leakage — cloud storage services, such as Amazon’s S3, were improperly secured
  • Hacking — the “door” to cloud data was broken down to access data
  • Physical theft — storage devices or laptops were accidentally left in taxis or on airplanes by employees
  • Malware — customers or staff members’ data was stolen by malware
  • “Exfiltration” — former staff members or consultants kept copies of data and this data become available on the Internet

Scram Software believes that this indicates that leaks are often caused by poor data handling procedures by both the organization that collected the data and by 3rd party contractors that were given access to the data. It also believes that an important factor is encryption technology was not properly implemented or was improperly used.

Chang also presented a few of the rapidly growing list of government regulations that are meant to address these problems.

After presenting this rather bleak assessment of the situation and the regulatory response, Chang went on to discuss ScramFS, an encrypted file system and its associated development tool kit and set of application programming interface (API).

ScramFS

Scram Software’s ScramFS is an encrypted filesystem that can be deployed in the cloud or on local hosts. Unlike some products offered by security software suppliers, Scram sought expertise and advice from experts from Monash University, The University of Melbourne and the University of Cincinnati during the development and testing process.

The goal of this technology was to make the use of encryption of data in flight and at rest very easy to use and very effective in deterring data loss. So, the encryption is done on the client system and no plaintext data is sent over the network or stored on the servers.  Furthermore, only the enterprise has access to the keys so they cannot be misused by third parties or by the cloud service providers’ staff.

Chang suggested that all enterprise data repositories should be encrypted and that this can be accomplished without requiring that administrators, developers or users become experts in cryptography.

Snapshot analysis

Although I haven’t personally tested the software, the concept appears sound. The technology would serve to protect data in use, backups, data transfers from system to system and even in migrations from one cloud server provider to another. The enterprise only needs to deploy Considering current events, it is reasonable to ask why so much enterprise data is not encrypted. It may be because encryption technology is complex and enterprise IT departments are already busy addressing other concerns.

Scram Software believes that the use of ScramFS would simplify the use of encryption.  All that enterprise administrators, developers and users would need to do was to ask applications and databases to use the filesystems provided by the product. Neither the applications nor the database engines need to be modified. The enterprise developers need not develop sophisticated encryption technology in order to use that form of technology to product enterprise data.

I’m hoping to interview a representative of an enterprise that his adopted these products in the near future.

It appears that enterprise decision makers would be wise to learn more about this technology