Tresorit adds file restore to its e2e encrypted cloud storage service

Europe-based cloud storage startup Tresorit, which mainly focuses on selling to small to medium size businesses, has added a file restore feature to its e2e encrypted cloud storage platform. It’s touting this as a helpful feature if you’re trying to recover from a ransomware attack.

Or, more prosaically, if you’ve accidentally deleted something.

Here’s a GIF showing the file recovery feature in action:

The file restore feature covers files stored in Tresorit’s cloud and files synced locally to a user’s devices.

Obviously, if files are only stored locally and not backed up or synced to Tresorit’s cloud there’s no fallback restoration in the event of a ransomware infection. (While files stored in Tresorit’s cloud that not synced locally would not be affected by any local ransomware infection.)

Tresorit already had a file versioning feature, which allows users to recover any previously saved versions of their files. But it says the addition of file restore helps mitigate the types of ransomware attacks that encrypt files without deleting them first.

There’s no time limitation on the file restore option. Files can always be recovered so long as
the user hasn’t confirmed permanent deletion.

Which does mean, over time, the feature may end up eating into your storage limit — at least if you don’t tidy up and fully delete files you no longer need.

“Non-permanently deleted items count towards the storage space of a user. So, it requires some ‘housekeeping’ from the user,” confirms a Tresorit spokeswoman. “But it is easy to get rid of all these deleted items that a user doesn’t need by selecting ‘Remove deleted items’.”

Also helpful: Tresorit has announced it’s doubling the amount of storage space it offers for individual plans — with its premium (aimed at individuals) and solo (freelancers and professionals) plan users now getting 200GB and 200TB respectively.

Today it’s also introduced a new basic plan which it describes as a “more capable” free version —  intended to help external collaboration between its business users and their clients or partners (who may not be Tresorit users).

Last year it launched free subscriptions for NGOs and activists for whom strong privacy is not just a nice to have. And the spokeswoman tells us more than 100,000 people are now using its tools — which includes both consumer (so some non-paying) and business users.

“Almost two-thirds of our customers are European, led by the traditionally security and privacy conscious countries like Germany and Switzerland. The next biggest European markets are the UK and the Benelux-states. The second largest region is North-America (mostly the US),” she says, adding that Europe’s incoming update to its data protection framework is also driving local uptake.

“With only a few months to go until the GDPR, we are seeing an even higher demand for secure, end-to-end encrypted online services with European data centers. A lot of smaller companies are just starting the preparation for the GDPR, and looking for secure services they can easily switch to.”

Tresorit’s zero-knowledge e2e encryption architecture means that, unlike cloud storage giants like Dropbox, it cannot decrypt and access users’ files. So it cannot be subpoenaed to hand over content data itself.

Although it can provide some user and service activity data in exchange to lawful requests — such as names, email addresses, billing details and so on. The company recently started publishing a Transparency Report to list any government data requests it receives and provide details on how it handles such requests.

“During the period covered in this (from September 24, 2013, to November 30, 2017), we received one informal request from a Swiss police authority to retain certain user data, however, as there was no official decision by Swiss authorities on this case, in the end, we didn’t hand over any data,” the spokeswoman tells us.

“As a Swiss company, Tresorit is primarily subject to Swiss jurisdiction regarding data protection and criminal procedures. Without an official decision by a Swiss cantonal or federal authority, no information can be provided to foreign requests.”

Chef InSpec 2.0 helps automate security compliance in cloud apps

How many times do you hear about a company exposing sensitive data because they forgot to lock down a data repository on Amazon? It happens surprisingly often. Chef wants to help developers and operations teams prevent that kind of incident. Today, the company released InSpec 2.0, which is designed to help automate applications security and compliance in the cloud.

InSpec is a free open source tool that enables development teams to express security and compliance rules as code. Version 1.0 was about ensuring that applications were set up properly. The new version extends this capability to the cloud where companies are running the applications, allowing teams to test and write rules for compliance with cloud security policy. It supports AWS and Azure and comes with 30 common configurations out of the box including Docker, IIS, NGINX and PostgreSQL.

Companies running multiple applications across multiple clouds face challenges in today’s continuous development environment. It’s actually fairly easy to leave that database exposed when it’s up to humans to continuously monitor if it’s in compliance or not.

Chef wants to help with that problem by offering a tool to automate compliance. It takes some work in getting the security, development and operations teams together to discuss what needs to be locked down, but once they come to an agreement, they can to use InSpec to write rules to validate proper cloud configurations using the InSpec scripting language.

Chef’s director of product marketing Julian Dunn says that anyone used to using scripting languages should be able to pick it up. “A language like InSpec allows customers to customize and write the rules specific to the cloud they are in and specific to their cloud deployment and check things they care about it,” he said.

Scripting language example. Code sample: Chef

“The language is designed to be easy to read and write. It’s intended for security engineering folks who don’t have programming background, but have scripting experience,” Dunn added. Once you write these scripts, you can run tests against your code, see which areas out of compliance and take steps to fix them.

InSpec was created via the acquisition of VulcanoSec, a German compliance and security firm that Chef purchased in 2015. InSpec 2.0 is open source and available for download on Github.

Featured Image: Roy Scott/Getty Images

Oracle grabs Zenedge as it continues to beef up its cloud security play

Oracle announced yesterday that it intends to acquire Zenedge, a 4-year old hybrid security startup. They didn’t reveal a purchase price.

With Zenedge, Oracle gets a security service to add it to its growing cloud play. In this case, the company has products to protect customers whether in the cloud, on-prem or across hybrid environments.

The company offers a range of services from web application firewalls to distributed denial of service (DDoS) attack mitigation, bot management, API management and malware prevention. In addition, they operate a Security Operations Center (SOC) to help customers monitor their infrastructure against attack. Their software and the SOC help keep watch on over 800,000 websites and networks across the world, according to information supplied by Oracle.

Oracle says it will continue to build out Zenedge’s product offerings. “Oracle plans to continue investing in Zenedge and Oracle’s cloud infrastructure services. We expect this will include more functionality and capabilities at a quicker pace,” Oracle wrote in an FAQ on the deal (.pdf) published on their website.

Oracle’s recent acquisition history. Source: Crunchbase

Just this week Oracle announced that it was expanding its automation capabilities on its Platform as a Service offerings from databases to a range of areas including security. Ray Wang, founder and principal analyst at Constellation Research says the company is a good match as it also uses automation and artificial intelligence in its solution.

“Oracle is beefing up its security offerings in the cloud. They have one of the strongest cyber security platforms,” Wang told TechCrunch. “They also have a ton of automation that fits Oracle’s theme of autonomous,” he added.

Oracle is far behind cloud rivals as it came late to the game. Just this week, the company announced plans to build a dozen data centers around the world over the next two years. They are combining an aggressive acquisition strategy and rapid data center expansion in an effort to catch up with competitors like AWS, Microsoft and Google.

Zenedge launched in 2014 and has raised $13.7 million, a modest amount for a cloud-based security service. Oracle says customers and partners can continue to deal with Zenedge using their existing contacts.

Featured Image: Justin Sullivan/Getty Images

Google to acquire Xively IoT platform from LogMeIn

Google announced today that it intends to buy Xively from LogMeIn, giving Google Cloud an established IoT platform to add to their product portfolio. Terms of the deal were not disclosed.

In a blog post announcing the acquisition, Google indicated it wants to use this purchase as a springboard into the growing IoT market, which they say will reach 20 billion connected things by 2020. With Xively they are getting a tool that enables device designers to build connectivity directly into the design process while providing a cloud-mobile connection between the end user app and the connected thing, whatever that happens to be.

“This acquisition, subject to closing conditions, will complement Google Cloud’s effort to provide a fully managed IoT service that easily and securely connects, manages and ingests data from globally dispersed devices.” Antony Passemard from Google wrote in the blog post.

As for LogMeIn, which acquired Xively in 2014 for $12 million, they acknowledged in their company blog post announcing the deal, that they intend to exit the IoT space . “So the obvious question is, does this mean LogMeIn is exiting the IoT? Well, if you mean the IoT connectivity platform space, yes, we’re leaving it. We believe that Google Cloud, now armed with Xively’s team and great technology – and backed by their platform and developer heritage and reach – are a far better fit for the future of platform leadership,” they wrote. They are probably right about that.

The company purchased Jive Communications just last week in a signal that they were going to concentrate on unified communications. “Last week, we announced a deal to acquire Jive Communications – a deal that will bring together LogMeIn’s renowned portfolio of collaboration apps like GoToMeeting and with one of the best cloud telephony services on the market,” they wrote in the blog post.

As for Google, it gives the cloud business a stronger foothold in IoT with an established platform, and engineering talent, which over time could help build their cloud business further. Earlier this month Google, announced its combine cloud business was generating a $1 billion per quarter. They need to find ways to expand that business to compete with the likes of AWS, Microsoft and other cloud market leaders. This purchase could be a step in helping them to do that. Internet of Things devices require many different types of cloud resources to build, run and manage the devices and all of the data they are generating.

They believe that by combining Xively’s platform with Google’s security, analytics, machine learning and ability to scale, they can give customers the tools to build IoT applications on their cloud platform.

Featured Image: Prasit Photo/Getty Images

Consolidation in the cloud as OpenText buys Hightail and Carbonite grabs Mozy from Dell

Back in the early 2000s before Dropbox was gleam in Drew Houston’s eye, sharing large files was a huge challenge. Email services limited attachment size because bandwidth and storage were both expensive and FTP required a certain level of technical acumen. YouSendIt tried to resolve that problem by providing a way to share large files in the days before the cloud became a thing.

The company, which became Hightail in 2013, was sold to Open Text today for an undisclosed amount. Open Text is a highly acquisitive Canadian content management company. It operates almost like a private equity play, buying up older companies and living off of the assets, while incorporating them into the Open Text family of products.

Alan Pelz-Sharpe, founder and principal analyst at Deep Analysis, says Hightail is still solving that edge problem of moving large files around the internet, which has remained a problem even in the age of cloud storage. “Hightail was one of the few — though it largely went unnoticed — that focused on that problem. They essentially rethought FTP and filled a niche, particularly for creative media workers,” Pelz-Sharpe told TechCrunch.

The company counts 5.5 million customers with a strong emphasis on that creative professional market in advertising and marketing, which often have hefty files to move around between teams and clients. Hightail still provides them that ability.

Mark J. Barrenechea, who holds several titles at OpenText including vice chairman, CEO and CTO, says the addition of Hightail helps them meet yet another content management use case. “The acquisition of Hightail underscores our commitment to delivering differentiated content solutions in the cloud that enable marketers and creative professionals to share, produce, and securely collaborate on digital content,” Barrenechea said in a statement.

This could allow them to compete with Adobe, at least on the file sharing side. Adobe has a big stake in the creative market and providing solutions for creating and sharing the large files they produce.

Today’s acquisition comes on the heels of the sale of another early cloud company when Dell sold Mozy to Carbonite yesterday for $145 million. Mozy, a cloud backup service, which launched in 2005, was sold to EMC in 2007 for $76 million. You may recall that Dell purchased EMC in Oct 2015 for $67 billion. That deal closed in September 2016.

Mohamad Ali, Carbonite CEO and president, sees this deal as a way to expand Carbonite’s family of products. “This deal provides Mozy customers scalable options for the future and gives Carbonite a broader base to which we offer our solutions,” Ali said in statement.

Tony Byrne, founder and principal analyst at the Real Story Group says that both of these deals are indicative of consolidation in the online storage space. “Many of us hoped that these smaller niche players could provide pluggable services to other applications but in the end the big vendors just did that themselves. And they were too small and thin to compete with Box and Dropbox in the standalone market,” Byrne explained.

Featured Image: NicoElNino/Getty Images

Oracle to expand automation capabilities across developer cloud services

Last fall at Oracle OpenWorld, chairman Larry Ellison showed he was a man of the people by comparing the company’s new autonomous database service to auto-pilot on his private plane. Regardless, those autonomous capabilities were pretty advanced, providing customers with a self-provisioning, self-tuning and self-repairing database. Today, Oracle announced it was expanding that automation beyond the database to other parts of its developer cloud platform.

The company started with that autonomous database, known by the exciting name, 18C, which like Ellison’s airplane practically runs itself. “We are extending the automation across all of our cloud platform services, making them self driving, self securing and self repairing and eliminating human requirements to handle all of the [installation], protection and services,” Amit Zavery, executive vice president for the Oracle Cloud Platform told TechCrunch.

The automation will be applied to a broad array of Oracle cloud services including applications development, data integration and security. The new services are designed to remove a significant amount of the complexity and reduce the time and cost associated with launching, running and maintaining cloud services. The goal is to leave it to the machine wherever possible.

Developers still need to do their jobs, but it drastically reduces much of the day-to-day operations and initial tasks, which should increase the efficiency of the IT team, Zavery said. “The time to market, risk and cost come down. The mundane tasks go out of your hands and you can spend more time on the application you want to build,” he explained.

This automation uses a lot of artificial intelligence and machine learning under the hood and should speed up the transition to the cloud for Oracle’s customers. What’s more, the intelligence layer means that technology should improve over time as it learns the intricacies of each customer’s individual requirements.

Ellison founded Oracle in the late 1970s in a very different computing world. Over the last several years, the company has been transitioning to a cloud model, but it was very late to the game and far behind companies like Amazon, Microsoft, Google, IBM and even Alibaba. Zavery sees this level of automation as a key differentiator between Oracle and its cloud competitors.

The new autonomous services will be rolling out over the first half of this year, Zavery said.

Featured Image: Bloomberg/Getty Images

Google’s bug bounty programs paid out almost $3M in 2017

Bug bounty programs are designed to sic security researchers on software and pay them to find vulnerabilities and report back to the sponsor. In return, the researchers are richly rewarded for their findings. In fact, Google’s bug bounty paid out a hefty $2.9 million in bug bounties in 2017.

Rewards can range from $500 to $100,000 or more depending on the type of bug and the amount of time spent. There are a number of programs including the Vulnerability Research Grants Program and Patch Rewards Program. The former paid out total paid of $125,000 to 50 researchers around the world in 2017, while the latter paid a total of $50,000  to improve security in open source software.

The largest award of the year was $112,500, a nice chunk of change, for tracking down a Pixel phone exploit as part of the Android Security Rewards Program. This is serious money and bug bounty hunters serve a key role in the software security ecosystem helping to ferret out some of the worst vulnerabilities before hackers can exploit them.

For that reason, the company continues to expand its bug bounty programs, and when needed jacks up the reward to try and get more people involved. For instance, Google raised the top reward for finding a remote kernel exploit from $30,000 to $150,000 last year. That should motivate more researchers out there to keep looking.

The bug bounty program has programs across the various Google products, Chrome and Android and they even introduced a program in October to track security issues in some of the most popular apps in the Google Play store.

Google is far from alone in holding bug bounty programs with some of the biggest companies in the world holding their own including GM, Airbnb, MasterCard and even the Pentagon. Some startups have developed platforms to build and administer bug bounty programs. These include Bugcrowd and HackerOne, a company that launched in 2012 and has raised almost $75 million including $40 million last year. These companies help customers build platforms to offer rewards for finding bugs in a similar manner to Google.

Finding bugs is not only rewarding for the researchers in a monetary way, although that’s probably a big part of the motivation, it also raises the profile of bug bounty hunters in the research community when they find a big bug.

Every software platform has problems. Programs like the one Google offers is a proactive way to track vulnerabilities before they become a public issue. The Google program has paid $12 million since it began in 2010.

Featured Image: scyther5/Getty Images