1. What happens if an attacker gains access to the master server?
The master server is actually a service that can run inside the main application (e-commerce site, website, etc.) which uses the data from the secure database. If this main application is compromised, an attacker can only see the data being inserted into the database at that time, he cannot gain access to the whole database.
The main advantage is that each storage server from the cluster will return the secret only if the password matches with the associated secret data. Each secret needs to have a unique, invariable user-associated password that is not found in the main database (like the CVV2 number, the SSN or the user’s password). When a brute force attack is launched against the storage servers, they will automatically shutdown and stop responding (configurable protection parameters are available).
This system is much more secure than just storing the encrypted data in the main database which would give an attacker the opportunity to download the whole database and then either sniff the master password or perform brute force techniques.
The ZenithVault system provides companies the time to mitigate attacks from the main application, without revealing all of the confidential data.
For automatic billing environments, the best practice is to situate the gateway communication module on a different server than the master. If an attacker injects payments on the master server, the module will be able to consult the payment logs and recognize that the incoming payments are fraudulent and shut-down its API.
2. How fast is ZenithVault?
The performance is directly related to the number of servers in the cluster and their locations. If the storage nodes are located all over the world, the response time will be slower. Given its architecture, the more servers you have, each of them will deliver the data faster. However, the hardware is crucial and has a great impact on the whole system. Because of the complex mathematic formulas used to scatter and gather the information, a hardware configuration has to be chosen depending on the traffic and average size of the deposited objects. ZenithVault engineers will help you set up the best configuration to suit your specification.
In real world situation, even when using globally scattered servers, you will still be able to perform operations on your database in a matter of seconds. None of your users will notice any slowdowns, not even during peak hours.
ZenithVault Freeware is faster than ZenithVault Enterprise since the data splitting process is much easier as it doesn’t offer redundancy.
Speed has a lower priority than security, however speed is still a crucial element of our product.
You can download the ZenithVault benchmarks here.
3. How reliable is ZenithVault?
We are aware that ZenithVault is going to be used for critical data manipulation and even the smallest failure will potentially create problems and downtimes. Therefore, all our product releases have close to 100% code coverage for unit tests. Besides this, we are running the application in simulated production modes to ensure there are no failure chances.
4. How easy is to integrate ZenithVault into our existing system? Will my users notice the change?
ZenithVault is completely unnoticeable to your end users because it is simply a secondary data storage platform. It’s similar to adding Memcache into your system.
We provide a set of libraries for the most popular programming languages. If your programming language is not C#, PHP, Python, Java or Ruby; we will develop the libraries for your required programming language, for free.
You will have access to insert, remove and retrieve functions.
Depending on the situation, you might also want to ask users for another invariable password, (like CVV2 or SSN) and that will represent the secret’s password.
For example, when a user adds a new credit card into the database, you were previously doing a similar query:
`credit_cards` (`nameoncard`, `number`, `expiration`, `CVV2`, `owner_id`)
(‘John Doe’, ‘4123123412341234’, ‘12/20’, ‘123’, ‘111’)
Now, with ZenithVault, you would have to run this command:
put($ownerID, $cvv2+$accountpassword, $number+$nameoncard+$expiration)
which would translate into
This is just an example, for the exact parameters and instructions on how to insert binary data/large binary data, please consult our Administrator Guideline. The commands are similar for removing and acquiring data from the database.
It’s very likely that ZenithVault can be integrated into your existing system within a few hours.
5. How much maintenance does ZenithVault require?
ZenithVault requires less maintenance than your existing SQL database. No performance tuning and no periodical maintenance are needed. You only have to read the logs for signs of brute force attacks and perform operating system updates.
6. How much training is required to operate with ZenithVault?
There is no training required, you only need to read the documentation and you are ready to utilize this solution.
We created a simple security system knowing that the more complex a system is, the greater the chance of flaws which could be exploited by hackers.
7. What happens if one or two nodes are breached? Can the attacker use the associated passwords to query the data from the other servers?
The stored passwords are one-way-hashed using SHA256 plus a random string. The storage servers receive the password in clear text during requests and then transform it to the hash and compare it with the stored hash. The data they will have access to at that point will be completely useless, especially when the data it also encrypted and sliced using the ZenithSecure algorithm.
8. How does the data splitting work?
The whole secret data that comes from the system as a serialized variable, a binary, clear text or under any other form, will be split chunk by chunk, encrypted and dispatched to each slave.
For example, you have this secret, “123456789”, that will be stored inside a 4 server ZenithVault database.
The system will split the secret in 9 equal shares (if the chunk size is set to 1 byte) and will send the data to the servers:
Server 1 will take encrypt(1)encrypt(5)encrypt(9)
Server 2 will take encrypt(2)encrypt(6)
Server 3 will take encrypt(3)encrypt(7)
Server 4 will take encrypt(4)encrypt(8)
This way, there are no clues provided that would allow an attacker to re-construct the data based on certain algorithms.
This is just a simplification of the ZenithVault Freeware algorithm.
The ZenithVaultEnterprise and SaaS versions utilize much more mathematically complex formulas to scatter the data and provide server redundancy (for example: from N total servers, you can restore the data from any N-X servers, N>=X+2).
The system takes the secret as a whole. That means if it contains a card number, the CVV, name and other, the system splits the whole object and scatters it. It does not fragment entire properties each on a given slave but rather traces of each property on each slave.
9. What is the minimum amount servers required? How about the maximum?
We recommend you employ at least 3 storage servers for the Freeware version and 5 for the Enterprise version. As you employ more servers, you lower the chances of having them compromised at the same time.
This solution is scalable so we do not impose a limitation on the maximum number of servers. With more servers, speed is the only factor in your decision.
Using a large number of slaves (over 8) will have an impact on the master server’s ability to compute the complicated mathematics behind the ZenthVault scattering algorithm. Although that might work well for secrets under a certain size, the performance will deteriorate as secrets enlarge or traffic increases.
10. My credit card processor already offers me this service, for free, so why shouldn’t I store credit card details with them instead of using ZenithVault?
Client payment information and details are valuable assets of your business. Leaving them in the hands of a third party provider represents an immediate and immense risk.
Depending on the industry and type of business, there are situations where your merchant account can be terminated for various reasons. Payment gateways go bankrupt or lose their Visa licenses. If these or any other unforeseen circumstances occur, you will no longer be able to bill your users anymore. With ZenithVault, you maintain your client database and can simply switch to a different processor at any time and for any reason. Thus, you benefit from business continuity.
11. ZenithVault is not applicable for every one of my company’s security needs. Can it be adapted to suit my business model; offering simultaneous user authentication, custom payment gateway integration or different data flows?
There are two ways to achieve the result you require:
- Our engineers can custom develop the features you require or
- We can sell you the source code and you can perform the custom development yourself.
12. Are there any “backdoors” that would allow ZenithSecure staff to spy on our data?
ABSOLUTELY NOT! As per the contract we sign, there are no backdoors inside the software.
We also allow your company’s security engineer to inspect our product’s code, thus proving it does not contain hidden features.
13. Can I recover the data from the ZenithVault database in case of necessity or investigation?
The Freeware version stores the data encrypted using the user’s password with a random salt. Even if we combine the parts from all the storage nodes, it would still be feasibly impossible to recover the data.
The Enterprise version stores the data using a different encryption method which allows recurring billing or master-user access without requiring user’s password. The storage nodes return the data based on the user/secret-set password. A token-based authentication system deployed on a custom-made, read-only operating system, for a master user will allow retrieval.
14. Regarding server maintenance, do you provide security “best practices”?
Yes. ZenithVault Enterprise customers receive clear instructions. They include: how to completely isolate the storage nodes from the Internet, how to operate the management server, how to perform OS upgrades, etc.
We also provide tailor-made server solutions designed to meet individual client requirements.
The SaaS version is managed 24/7/365 by our security professionals and the storage nodes are dedicated.
15. I am not sure which ZenithVault licensing version I should deploy right now.
Our security consultants are always available to help you decide which version is best for your company’s current situation.
ZenithVault Freeware version is perfect for data that can only be decrypted upon the secret owner’s password input so it doesn’t fit automated data access on a one way basis.
The Enterprise version offers redundancy, greater data transfer security and most importantly, automated data access, without knowing the user’s password. For example, the main system can send out a billing request to the storage nodes and they will forward it to the billing processor.
Upon request, we can also deliver the Freeware data storage method on the Enterprise version.
The SaaS solution requires no maintenance and no server responsibility for our clients.
16. Can I run ZenithVault in the cloud?
You can, however we do not recommend it.
We strongly recommend that you only deploy it on dedicated machines. In the cloud environment, the cloud root superuser can see the content of all the virtual machines. This constitutes a major security risk.
17. Can I store large binary objects using ZenithVault?
ZenithVault Freeware enables users to insert up to 10MB per entry.
ZenithVault Enterprise and SaaS versions have no size limitations. However, certain limitations might result from a given hardware/software setup.
18. Do you provide 24x7x365 support and emergency intervention?
Yes, we provide security support services for all our clients.
19. Which operating systems are supported?
Windows platforms that can run the latest .NET platform and any JRE compatible operating system can be used in any combination for a full system deployment.
20. Why do you run both Java and C# daemons on the storage nodes?
Because the risk of a breach occurring would be considerably higher if we only provided only one platform. The chances of an attacker finding zero-day exploits for both the .NET runtime environment and JRE while having access to the master server are virtually null.
21. We are using state of the art intrusion prevention daemons and we have an SQL proxy with advanced filters plus heavy logging system; Why do we need ZenithVault?
A classical storage platform even with security systems, still stores everything in one place. This is why so many large companies have had data breaches costing them time and money. No matter how many security layers they put on these one location systems, attackers find ways to breach them. Even a security team monitoring everything full time may not know about certain exposures until it is too late. The most important security flaws continue to be the human factor. Many users make mistakes or do not follow security procedures and attackers are resourceful in finding these weaknesses.
ZenithVault is fundamentally different because of data splitting. Your sensitive information is divided and stored securely in more than one location. Even for an administrator, it is almost impossible to merge all the data into one place, from the multiple, geographically distant servers and then re-create it without having the associated passwords.
Companies can create different management staff for each storage node, without them knowing of each other, minimizing the potential for damage from rogue personnel and even social engineering attacks.
22. My company’s system has been breached/hacked; can I transfer data from my old database into ZenithVault?
You can easily import everything using the provided API. That is the only way to insert/receive data from the storage nodes.
23. SSL is man-in-the-middle exploitable. How can ZenithVault defend against this threat/exposure/weakness?
The ZenithVault Enterprise and SaaS solutions use a separate SSL certificate for each slave, making it even harder for a hacker to listen in on all slave connections simultaneously.
Another solution against this threat is that both of these versions of ZenithVault offer elliptic-curve Diffie-Hellman encryption which is not exploitable.
Depending on your requirements, you can use both classic SSL and elliptic curve Diffie-Hellman encryption for the ZenithVault Enterprise and SaaS versions.