Well-funded startup Ionic Security has launched a data-protection service that guards encrypted documents no matter where they go until access is authorized by its policy engine based in the cloud, making it possible to protect data even if the files that contain it fall into the wrong hands.
Ionic controls access to the keys needed to unlock encrypted documents so only those who are meant to access the data have the ability to decrypt it. In addition, the service sets policies on what can be done with the data once it’s accessed.
The company’s significant offering is that it takes on the entire burden of managing the keys, a huge undertaking that it has automated and that customers don’t have to bother with, says Ionic’s CEO Steve Abbott, who served a stretch as vice president of sales for public-key cryptography firm PGP Corp.
In addition, its policy engine allows controlling who gets the keys and under what circumstances. The keys are kept in the possession of customers, but Ionic’s service takes charge of deciding whether a user’s request for a key to decrypt a document is authorized. If so, the service signals the key server to release the key so the reader can access the plaintext data.
So if documents are stolen, they remain useless because the thief can’t meet the policy requirements to get the key to decrypt them. The service makes it practicable to encrypt every important piece of data generated by a business, Abbott says.
This has been a problem not so much because it’s hard to encrypt but because it’s hard to make it possible for large numbers of authorized parties to decrypt, Abbott says.
Ionic uses symmetric key cryptography and makes it useable at scale across untrusted infrastructures. A system to manage keys used for one-to-many communication is hard, and many-to-many is harder still, Abbott says, but that is what Ionic does. Keys have to be distributed, kept up to date, revoked and redistributed all within a framework so partners trust them, which is a gargantun chore when large volumes of data are encrypted with separate keys.
Ionic’s encryption scheme still calls for an enormous number of keys, managing them is automated and handled entirely by Ionic for its customers, he says.
The company has been pitching its service only to the largest corporations and tailoring it to their needs. Abbot says Ionic has half a dozen Fortune 100 companies signed to three-year contracts, which represents 1.5 million seats. He wouldn’t name any. When the service is generally available it will be sold in one-year contracts, and pricing hasn’t been set, he says.
The platform encrypts content at the time it is created and supports iOS, Android, Mac, Windows and Linux operating systems. Policies set on the encrypted files can control where and when data is accessed and by whom. So a policy could restrict access to a document only to C-level executives who are connected to the Wi-Fi in the executive board room, for example, and only after a certain time on a certain day.
It can further encrypt and set policies on data within files, he says. So if a document contains historical sales data as well as projected sales, a policy could allow the document to be shared with and opened by the entire sales team, but with only sales executives able to read the projections.
The platform keeps logs on who uses what data and can generate reports. So it could be polled to find out which department generates the most data and who’s reading it.
The encryption keys are stored in a server called a key grid on customer premises. The cloud service authenticates users trying to access documents and lets the key grid release the right key to them if they meet all the requirements set by user policy.
The system could be used to help thwart insider threats by tracking, for instance, who accesses documents containing the word “proprietary”.
Customers can set policies on what is encrypted. So a rule could say that when users belonging to an Active Directory group, say Finance, write a document containing the words private or confidential or classified, it gets encrypted. The decryption policy for those documents could be that only people with a confidential rank can see them.
Further, users could highlight different segments of documents in different colors that indicate separate categories of users who would be able to read those sections. So a document about new hires including their salaries could be accessible to board members, and the same document could be accessible to the entire staff but with the salaries redacted because they would not be authorized to get the key for that section of the document.
Key requests come from agents on endpoints and are handled in Ionic’s cloud, which is located in a variety of commercial clouds including Amazon Web Services. If a key is issued to the endpoint from the key server – called the key grid – the document is decrypted on the endpoint.
The service is sold with company-wide licenses to customers for three-year terms. The actual charge can be determined on a per-transaction basis or it can be a flat fee for unlimited transactions.
The company has been in stealth mode since 2011, and has already undergone a name change from Social Fortress to Ionic. Ionic was chosen because in chemistry it represents the strongest type of bond, and the company wanted to express that kind of strength, Abbott says.
Abbott says he was introduced to the company’s founder and CTO Adam Ghetti by Phil Dunkleberger, cofounder of PGP Corp. Abbott says that within three or four minutes he decided to go in with Ghetti. The company has raised $78.1 million from the likes of Kleiner Perkins Caufield & Byers, Meritech Capital Partners and Google Ventures.