Here security is preprogramed

Michael Tschannen is the Chief Technical Officer at SecureSafe. In collaboration with our developer team, he is responsible for our own cloud storage solution as well as eSafe solutions for banks, insurance companies and other large customers.

What are your main tasks as CTO at SecureSafe?

As CTO I am the technical manager of the company. My average workday is thus very versatile and my tasks range from project management through the creation of software architectures to resource planning. Most importantly, I rely on a competent team – planning and documentation alone will not bring forward a product or IT solution.

Which phases are normally included in a customer project?

The usual phases are:

• Planning
• Definition of use cases
• Definition of technical implementation (design, architecture, etc.)
• Technical implementation
• Testing and performing checks
• Operation
• Further development

This approach to software development is called “SDLC” (Systems Development Life Cycle) and it always runs in more or less the same way, even if the phases sometimes are called differently. Depending on the project, phases will run in a strict sequence (oftentimes the case in larger companies) or they will overlap. In an agile process, phases increasingly overlap and iterations are shorter producing a more constant output. This approach is also known as Agile Development. It always starts with a basic idea and makes use of short feedback cycles.

How do collaborations with banks work?

Unlike companies from many other fields of business, banks have a strong affinity to confidentiality, integrity and accessibility of their systems and data. Furthermore, the banks – in particular the Swiss ones – are heavily regulated and hence they have highly controlled process systems. Nevertheless, banks have proved themselves to be among few of the traditional service companies capable of achieving a digital in the past years. Through this edge they’ve become an important partner with whom it’s possible to have a very interesting exchange.

What about SMEs?

One of the biggest differences between SMEs and large companies is their IT budgets: SMEs must sometimes make do with very little money and partially with restricted know-how. Still, it remains important that a minimal level of protection is achieved for a system, even with a reduced budget. This for example includes Patch Management, staff training and special protection for the most important data. More importantly, however, is the awareness that not only large companies are at risk – small companies can also become the victims of an attack. Furthermore, SMEs should strive to collaborate with competent and trustworthy partners in order to ensure a heightened security. This will help them save money in the long run because doing everything yourself is rarely cost-efficient.

What challenges do you see for the future?

One of the biggest challenges is the ever-growing tendency to network. Here, it’s important not to forget security. As a basic rule: All devices, which can be accessed through a network, can also be attacked. This may sound trivial, but it can have fatal consequences: imagine that an attacker could shut down an ECG in a hospital from anywhere in the world – this could have deadly consequences.

Moreover, costs will remain a future challenge. Security is often seen as an obstacle and as too expensive. I do understand this viewpoint, seeing how the Return of Investment for the development of security is hard to quantify. Security oftentimes doesn’t bring companies direct financial profit and so the value can be hard to prove before a security breach happens… The general rule is, that once an attack has happened to you, it will be very expensive indeed.

Which is the most problematic assumption with regards to cloud security according to you?

«No one is interested in my data anyways», is my personal favourite. That is simply wrong: information – of any kind really – is worth a lot of money and this fact is exploited by attackers as well as so-called “free providers”. Every person and every company is ultimately interesting. Not the least because a person has been one of the most popular gateways to social engineering attacks since the 80ties. Precisely because of this, I advise everyone to think twice about which data he provides to which service provider. This not only includes personal data but also company data.

The online storage from SecureSafe has a very complex security architecture: How is a zero knowledge environment created and can one prove it to work?

Contrary to many other cloud services, we do not make any money with the data of our customers – we simply do not have access to these. All stored information is encrypted with a complex crypto architecture, which is build up with a tree like structure. At the very top – speak at the entry level – you have the password of the user. Without this password, all the keys not be unlocked and hence they cannot be decrypted. Since we do not know customer passwords, we have not access to the data, even as the cloud provider. We have been completely transparent about this approach and published it publicly. We have also had the service repeatedly checked by externals. I am still convinced that this is the only correct approach to offering a cloud service – we ultimately want to protect our customers, not to exploit them.