Hardsec Could Help Dumb Devices Protect Against Smart Hackers

Protection from smart cybercriminals could come from “dumb” devices. Hardsec, or hardware security, now resonating with some major international financial institutions, could eventually help U.S. community institutions including credit unions.

Hardsec is an emerging security architecture. Instead of central processing units, hardsec uses lower-complexity non-Turing-machine (basic abstract computational devices) digital logic to implement security, avoiding a software weak point.

The more sensitive the data and rigid the regulations that organizations need to navigate, the more eager they are prompted to layer on more sophisticated software to protect it, pointed out technology entrepreneur Henry Harrison, co-founder and chief technology officer of Garrison, one of several U.K.-based companies using hardsec as a basis for its products. “It’s very difficult to protect computers with computers,” Harrison emphasized. “The reason we have a problem is because the fundamental way computers work makes them vulnerable.”

According to Garrison, the flexibility of software running on a CPU has delivered the information revolution of the past decades. But that same flexibility is the Achilles’ heel in today’s IT environment – unfeasibly complex systems where simple bugs can lead to vulnerabilities with limitless impact. “We can get our computers to do anything. But the disbenefit of it is that an attack potentially can also get computers to do anything,” Harrison said.

Garrison’s technology revolves around the premise that because detection technology failed to keep pace with attackers’ capabilities and methodologies, organizations must block access to everything not trusted. However, aggressive blocking can cause significant problems for organizations in terms of business effectiveness and efficiency. In addition, detecting everything bad is just not possible, therefore security-conscious organizations can no longer risk allowing uncontrolled access to the web.

Harrison said, “Twenty years ago, the financial services community predominantly were protecting ourselves against kids in that bedroom, or lower level crime. Essentially antivirus and firewalls were the name of the game. Now the finserv industry deals with direct attacks from organized crime rings or nation States.”

Peel Hunt, a corporate broking, advisory, research, sales and trading firm, wrote in a recent report, “An arms race to detect harmful traffic has reduced the usability of essential business functions such as email, web browsing and content sharing. In wanting to balance the inversely correlated security and usability in favor of better productivity, enterprises have become resigned to a state of insecurity. An approach termed ‘Hardsec,’ which uses hardware to extract and verify harmless traffic, has the potential to overhaul this status quo radically.”

Garrison’s secure browsing solution is based on two technologies: Field programmable gate array (FPGA) chips and silicon assured video isolation (SAVI). Harrison noted FPGA chips, not a new technology, are integrated circuits configurable by a customer or a designer after manufacturing. He also explained the technology is quite mature and used extensively in telecoms and other sorts of electronic engineering. The second tech is a Garrison SAVI, which performs the ‘transform and verify’ process by turning the web into raw pixels – a verifiable format – and uses fixed-function hardware to deliver the non-Turing-machine implementation. “Hardsec allows you to build security platforms that are not hackable computers,” Harrison emphasized.

After its work in the government national security space, Garrison is now starting to work with a handful of key early adopters in the financial services space in the U.S. and U.K. “In the financial services market, overwhelmingly the organizations really have never heard of this technology. This is completely new to them.”

Does hardsec fit in with community institutions such as credit unions? Harrison admitted, “I would say it is not there yet, but we’ve always identified our direction ultimately is to take this technology and make it available in the cloud so that even small- or medium-sized financial institutions can buy into this kind of new market leading technology.”