Patented Security

On Your Device

Open Source Software

The device software’s source code is available to the public and may be tested for potential weaknesses any time.

Strong User Authentication:

Strong password policy & display of password strength
2-Factor authentication with password and SMS pass code
Optional iDGARD Login Card
(Credit card sized TAN generator)

Protection against Producer Cloud

Local view of documents in file systems, that are not synchronized with producer clouds (iCloud, Google Share, etc.).

Secured offline availability of files (Smart Caching)

Encrypted memory (AES 256) of downloaded files
Offline availability only until end of app session. All local data deleted reliably thereafter

Application Security of Browser User Interface

No technology that is, per se, vulnerable to XSS or other attacks
No technology that might, per se, enable drive-by attacks

Architecture & Software Design

Encryption & Key Distribution

verschluesselung-und-schluesselverteilung

A-rated SSL encryption (key length: 2048 bit), for transfer from device to Sealed Cloud
Private key for SSL link connection not in the hands of the cloud service provider (import only upon boot by independent party)
Accessible via any browser, no additional software necessary
Alert of attempted man-in-the-middle attack via app & browser plug-in
No system key: each user set is coded with an own key, generated by user name and password. The keys are not stored
Individual AES-256 encryption for each respective file & Privacy Box
KNone of these keys accessible by the cloud service provider or application
Fully new encryption of Privacy Boxes any time these are closed. Result: box link access by service provider staff excluded technically
Invitation of new users & box guests per box link and optional box code

Trustworthy Software & Software Integrity

vertrauenswuerdige-software-software-integritaet

TPM & HW based chain of trust covering entire software stack
Development and deployment process of externally audited software components & versions in creation
Centralized software deployment via NetBoot. Only fully signed stacks bootable
Classic trusted software development procedures (peer programming, committer model, etc.)
Dynamic software component & operation testing methods (currently in development)
Methods of improved trustworthy SW development (e.g. automatic code creation) currently being researched (in cooperation with Fraunhofer AISEC, et al.)

Security against Internal & External Spying

Perimeter Security (Protection against External Attacks)

perimeter-sicherheit

Security & data protection as per Federal Office for Information Security’s IT Baseline Protection Catalogs applies to service provider Uniscon and Sealed Cloud infrastructure alike
Implementation of respective entry, access, forwarding, input, assignment, availability, and disconnection control measures
Implementation of multi-stage, state-of-the-art firewalls (classic, multi-stage ones plus web app firewalls)
Application of state-of-the-art intrusion detection & prevention systems
Hardened server OSs
Physical network disconnection for boots & alerts and traffic
Load sharing without encryption scheduling
Electro-optical & electromechanical monitoring of all door, floor, wall, and ceiling systems
Electromechanical locks that control access pursuant to Sealing Control policy
Recording of all administrator & system activity per WORM technology

Data Clean-up (Triggered upon Internal Attack Attempt)

data-clean-up

Uncencrypted data processed exclusively data clean-up area (no persisten memory)
Sensor alarm triggers logical & physical data clean-up
Data clean-up triggered upon both intentional & inadvertent access attempts
Prior to clean-up, current user sessions first migrated to unaffected Sealed Cloud areas and unencrypted data encrypted and stored
Affected segment server data then deleted and servers disconnected
15-second server disconnection reliably deletes all unencrypted data, before granting electromechanical doors server access

Sealed Cloud: A Fully Integrated Security Concept

Sealed Cloud: Fully Integrated Security

sealed-cloudv-ein-vollstaendig-integriertes-sicherheitskonzept

Sealed Cloud is an integrated security concept, that considers all known attack vectors. To date, iDGARD is the only application worldwide, to ensure such comprehensive protection via Sealed Cloud technology.

System Overview & the Role of Audits

System Overview & the Audit Role

system-overview-the-audit-role

Sealed Cloud system illustrating the security concept’s three most crucial principles:

Key distribution for connections between user and Sealed Cloud and encryption for the database / file system
Protection of unencrypted data in the clean-up areas
Static & dynamic auditing and certification by external, trusted inspection agencies

Competitive Security Edge versus End-to-end Encryption

Security Benefits Compared to End-to-End Encryption

security-benefits-compared-to-end-to-end-encryption

iDGARD not only protects the content of communications but also their METADATA:

No disclosure of who communicated with whom, how long
No disclosure of when a communication took place

EP 2389641 & Other Patents - Sealed Cloud

EP 2389641 & Other Patents: Sealed Cloud

das-patent-ep-2389641-und-andere-die-sealed-cloud

Trust in state-of-the-art security is based on the security concept’s transparency and its implementation. In combination with independent audit reports and respective certification, our patent applications and patents ensure iDGARD users maximum security and its correct implementation.

White Paper

Sealed Cloud – A Novel Approach to Safeguard against Insider AttacksPDF-Download »

External link to www.tuvit.de

iDGARD Certification Pursuant to Trusted Cloud Data Protection Profile

Article »

White Paper

Check List: Introducing a Cloud ServiceArticle »