Paying the bills is a pain. When Pitney Bowes designed Volly, its digital mailbox, the development team strived to create a user interface that took some of the hurt out of the process.
The digital mailbox would serve as a one-stop platform for bill paying, a way for users to pay for services without having to sign up for individual sites. But with security still a leading concern in cloud computing, Pitney Bowes faced a unique challenge -- how to create an easy experience for users while still providing the security needed to protect sensitive information like credit card numbers. After mulling over the build-or-buy dilemma, Pitney Bowes decided on Belcamp, Md.-based data protection company SafeNet.
Read more about cloud security
The basics of cloud storage
How real are cloud security threats?
Cloud security and multitenancy
Ray Umerley, vice president of Volly Solution Development, said that SafeNet was ultimately the choice because it was best-of-breed software with a robust collection of APIs that made integration a breeze and created the best user experience. Pitney Bowes considered other vendors, but build-or-buy was a tougher decision, he added.
“It always is, we’re all engineers at heart here,” Umerley said. “The onus is typically, if we can solution the idea on how we want it to work we can put the resources to bear to make it happen.”
Engineers were up to the task, but ultimately SafeNet was seen as a safer bet.
“Is our core competency really going to be creating a cryptographic solution for securing cloud contents? Not today, maybe tomorrow,” he said.
Umerley added that since Volly, a digital mailbox that serves as a way to pay bills online in a centralized location, is a new brand for Pitney Bowes, partnering with an established security company was preferable. He said the logic was the same for Volly’s partnership with Adobe to create an accessible user interface.
Identity verification key to open digital mailbox
The focus on ease of use led to the creation of a system that keeps security hidden from the user. Signing up for the platform requires a name and a password. To start receiving bills through the digital mailbox, users have to verify their identity with their billing company in Volly, using personalized identity-level questioning, like what their eye colors are or how many rooms they have in their homes.
“A digital check that only relies on a certain subset of data is going to be easier to compromise than a large set of data,” Umerely said, adding that a little money and a search engine is all a hacker would need to find most credit check data.
Users only have to take the identity-level quiz once and do not have to give any other information, unless the provider has regulatory requirements that demand an extra level of identification, like an account number.
The goal of the system is to provide an alternative to the Web-scraping model, where usernames and passwords are stored on the billing company’s servers. Umerely said that part of Volly’s security comes from the fact that they don’t want users’ information and don’t ask for it.
Tsion Gonen, chief strategy officer at SafeNet, compared Volly's security to other approaches that led to major breaches recently, such as the LinkedIn server hack that revealed more than six million passwords and millions of eHarmony passwords. Gonen believes SafeNet is insulated from attacks like that because it does not store usernames and passwords.
“If you look at the recent breaches, the ones that really were painful, the hackers didn’t go after individual accounts, they went after where everything is,” Gonen said, explaining that SafeNet’s appliance secures Volly’s transactions with data encryption that is transparent to the user.
“If some hacker comes in, he’ll only be able to take encrypted data, which is irrelevant.”
Cloud encryption beefs up digital mailbox security
The encrypted data can’t be accessed without a unique key that each user receives. The challenge for SafeNet has become getting cryptography technology to scale. Millions of keys are issued for an application like Volly, creating challenges on how to store the keys securely.
Gonen said SafeNet’s keys are vaulted in hardware, not software, that is highly secure, to the point that accessing the physical hardware requires a Hollywood-style scenario where three separate keys are turned simultaneously. He adds that while SafeNet vaults the keys and encrypts the data, users are still in full ownership of it.
“I want you to manage [services], but I don’t want you to have access to my data,” Gonen said, describing a typical user request. “The only way to do that in a scalable manner is to use crypto.”