Last Updated on October 14, 2020
The new Cybersecurity Maturity Model (CMMC) program promises to change the face of cybersecurity globally. But the CMMC program is about certifying compliance—and it’s axiomatic that compliance does not equal security.
What does “real” security look like? And why do today’s security controls so often fail to protect sensitive data?
These topics came up in an episode of The Virtual CISO Podcast featuring Sanjeev Verma. Sanjeev is Chairman and co-founder of PreVeil, a cybersecurity firm with a super robust, CMMC Level 3 compliant email and file sharing solution that works alongside Office 365, G Suite and other cloud-based services that, taken alone, don’t comply with CMMC Level 3. “The basic paradigm for security—why hacks are happening over and over again—is that the old security model is like that of a fort: you build a wall around the information and hope the wall prevents attackers from getting to it,” Sanjeev explains. “But the wall is made of software, and what academics and the NSA recognized was no matter how tall the wall the attacker will get through because software has bugs. Patches keep coming and you’ll always be installing patches.”
Regarding PreVeil, Sanjeev relates, “Our birth was out of MIT and it was all about providing the very best security. … The real reason I want people to love us is because at the end of the day we are radically more secure. … Hands-down better than what Microsoft offers at its highest level of security.”
“That’s how O365 and Gmail work,” Sanjeev notes. “The servers see the information and they try to protect you by building walls around it. But if the attacker gets through to the servers they see the information.”
Sanjeev continues: “The second thing is the information is also protected by this notion called a password. But we all know that they can be easily guessed, we can phish and steal them, etc.”
“Third, who’s guarding the entire system in an enterprise? That’s an admin… But the admin represents a central point of attack. You get to the admin you get the whole candy jar,” Sanjeev observes.
“The basic paradigm for security—why hacks are happening over and over again—is that the old security model is like that of a fort: you build a wall around the information and hope the wall prevents attackers from getting to it,” Sanjeev explains. “But the wall is made of software, and what academics and the NSA recognized was no matter how tall the wall the attacker will get through because software has bugs. Patches keep coming and you’ll always be installing patches.”
How do you get to “real security?” The same way Sanjeev’s team built PreVeil.
“The NSA guidelines and the academics’ model is encrypt everything end-to-end, so it can only be decrypted by the recipient,” asserts Sanjeev. “The server sees only encrypted information. So now, unlike the ‘wall model,’ if the attacker gets to the server all they get is encrypted gibberish and they have no keys to decrypt it—those are only with the recipient.”
In the case of PreVeil, data is stored on AWS GovCloud for CMMC compliance purposes. But because the encryption keys are stored elsewhere, even PreVeil employees have no way to decrypt client data.
“That’s why the NSA, in its recent guidance, basically said, ‘Listen, there’s the pandemic; people are now working from home. We gotta guide government agencies on how to protect information.’ And their first criteria was use services that have end-to-end encryption,” Sanjeev reports.
Regarding passwords, it’s recommended to replace them with an encryption key that enables data access but which cannot be guessed, even by a password cracker attack.
“An encryption key is basically like the number of atoms in the universe … so no amount of compute power can guess that,” emphasizes Sanjeev. “Using that to access data is way more secure than even your biometric fingerprint.”
What about the third weak link, the admin?
“We borrow a concept from the nuclear launch codes,” Sanjeev describes. “If you want to launch a nuke you don’t give one individual the ability to press a button and POW! Several people have to come together to enable that. We do the same thing in PreVeil and it’s a concept called an ‘approval group.’”
With PreVeil’s approval groups, each admin has only part of an encryption key. So if an attacker compromises just one admin, they get nothing. But if data needs to be accessed for eDiscovery or a similar reason, an admin can ask for permission to “put the pieces together” on behalf of the organization.
“When you put these three things together you now have a system where you cannot attack the server, you cannot attack the admin and you cannot compromise passwords to remotely access data—so you provide true security,” Sanjeev recaps. “And that’s where my heart is.”
If your organization needs CMMC Level 3 or NIST 800-171 compliant email and file sharing—or just wants the best security possible for its sensitive data—this episode of The Virtual CISO Podcast featuring Sanjeev Verma is well worth a listen.
You can access the full show with Sanjeev Verma here.
If you don’t use Apple Podcasts, click here.