You've followed all of the security compliance guidelines, but the auditor still isn't satisfied. How can I be certain, he asks, that no one -- not even IT -- has tampered with this data?
A startup company thinks it may have the answer. Kinamik, a venture capital-backed venture out of Barcelona, Spain, next week will open the doors on a third-party technology that collects, aggregates, time-stamps, encrypts, and stores audit-sensitive data as it is created or altered.
Kinamik is a spinoff of Scytel, an international company that offers secure services for electronic voting around the world. While Scytel offers the means to collect, encrypt, and store voting information for world governments, Kinamik is using that same technology to build systems and services for the commercial environment, according to Christophe Primault, managing director for the startup.
"What we're doing is providing audit trails that protect the data from any unauthorized manipulation, including administrative abuses," says Primault. "Companies are doing everything they can, but there is always at least one person who has access to the data and could change it. At the end of the day, there is no way you can legally prove that a piece of data has not been tampered with. But without technology, you can get that proof."
Through a series of APIs, Kinamik interfaces directly with security-sensitive data systems and collects it as it is created, Primault explains. Kinamik's patent-pending technology then aggregates the data, normalizes it, and certifies it with a time stamp and a digital signature. The system then stores the data on an independent, third-party server, encrypting each entry with a private key.
Because it was designed to certify and encrypt e-voting data, the Kinamik system is capable of collecting very large amounts of data and encrypting them very quickly, Primault says. It can be used to secure and store information that changes frequently, including databases, IT system logs, or any data that might be audited on a regular basis. And since the system operates independently of the corporate infrastructure, it has virtually no impact on performance, Primault says.
Kinamik's first target industry is the online gaming space, where there is a particular need for light-speed third-party auditing of results in order to ensure that players or site operators are not cheating on their results, Primault says. The company has a method to ensure that random-number generators are legit, for example.
But over time, Kinamik will target more mainstream applications, such as financial transactions, database manipulation, and sensitive research and development work, according to Primault. "We see huge potential in [Sarbanes-Oxley] compliance, where companies must be able to meet the demands of an auditor."
Initially, the Kinamik technology will be offered as software, principally for adoption by resellers or vendors, rather than enterprises. But the company is willing to work with enterprises directly, and Kinamik will likely develop a service offering that will allow enterprises to subscribe, Primault says.
There are some other companies that offer encryption and third-party data storage services, such as SurityNet's application service and Oracle's AuditTools. However, many of these services are targeted at a specific vertical industry or a specific technology, Primault observes.
Tim Wilson, Site Editor, Dark Reading