Data Privacy and Security

PKWARE warn against confusing mere compliance with actual security

Although today its focus is more around data encryption and security, PKWARE is responsible for one of the most common types of file in the world today. The Wisconsin-based company and its founder Phil Katz are responsible for creating the ZIP file, and still maintain its standards today.

While it still provides compression software, its focus is around smart encryption and Data Loss Prevention for companies within finance, healthcare and government. We have a quick chat with PKWARE’s Chief Technology Officer Joe Sturonas about the state of security today, the relevance of the ZIP file and being a tech company away from tech hubs.


What’s your view on some of the recent big headline hacks we’ve seen with the likes of Sony, The US Government, and do you think they could have been avoided?

Simply put: Many of these data breaches could have been avoided if the information was protected, instead of the devices and the network.

Regulation and compliance largely focus on a decade old notion of protecting devices (desktops, laptops, servers, mobile, etc.) and networks (SSL, TLS, etc.). Our computing model has changed drastically where data is on BYOD (Bring Your Own Devices) and sent out to cloud computing environments, so much of an organization’s data is not even on the devices or platforms they own. By encrypting the data itself, data is persistently protected regardless of the device or the network.

Even if you are simply focused on protecting devices and networks, security should be about “defense-in-depth.” In this day and age, you have to assume you are going to be breached, and if the data itself is not protected, the bad actors will be able to exfiltrate your sensitive data. That is why these breaches are happening with such regularity.

In some cases, it is not that the bad actors are able to penetrate the perimeter of the organization; the bad actors are already inside. Thieves, snoops and idiots are the three categories from which our customers are typically aiming to guard themselves. These are the people or groups pulling data from organizations and seeking to gain value from cybercrime. But, by protecting the data itself, these groups are prevented from getting anything of worth from a breach or heist.


Do you think the ongoing headlines around the NSA have made people and organizations more aware of the need to take security seriously?

I would probably give organizations the benefit of the doubt and say they all take security seriously, but I think most are focusing on the wrong problem. I think there has been confusion around being compliant and passing audits. Compliance for things like PCI DSS (Payment Card Industry Data Security Standard) cover a wide range of businesses, so the bar needs to be very low. Once the organization passes the PCI audit, they feel they have achieved a level of security to where they are protected.

However, if you look at organizations that were regulated by PCI DSS, they were all compliant at the time of the breach, largely because the standards for security are focusing on devices and networks. In other words, they were protecting the perimeter, rather than the data itself. That may be fine for meeting a compliance benchmark or an audit, but it is not focused on maximum security. In 2014, that has been the big wakeup call around security for customers we’ve talked to and worked with: don’t confuse compliance and security. And this has made data encryption more important today than it has ever been.


With the advent of the Internet of Things and all the kinds of devices that includes – wearables, cars, homes, etc. – is security an issue that hasn’t been properly addressed yet?

Device security for IoT is typically not as rigorous as it is for more traditional devices such as desktops, laptops and servers. Security for these devices is usually seen as a sidecar or add-on feature. Given that, encryption of the information itself becomes imperative to keep this highly personal and highly mobile data protected regardless of the device that it might land on.

While information from IoT may not seem valuable or relevant on its own, when these devices are not protected, they can become an entry point for thieves or another source of information to create a personal or organizational profile. For example, HVAC data might appear to be benign by itself, but in the context of other manufacturing data, it might reveal much about manufacturing intellectual property and production schedules that could be devastating in the hands of competitors.


The ZIP file has been around for over 20 years now, is it still relevant today, and does it need a refresh to ensure it stays secure in today’s security-conscious world?

PKWARE invented the ZIP file back in 1988 and, even as we’ve shifted our focus to security software, ZIP continues to have a noted, functioning role in personal and business data. As the custodians of the ZIP file format, PKWARE continues to innovate and evolve the ZIP file to ensure it supports strong security, such as support for X.509 digital certificates, as well as digital signing and authentication.


PKWare is based in Milwaukee, Wisconsin. How would you describe WI’s technology scene, and is it a benefit or hindrance not to be based in Silicon Valley?

There is no pretending that the Dairy State is going to supplant Silicon Valley anytime soon. For quite some time, the direction of tech in Milwaukee and the Midwest had been largely focused on the existing manufacturing industry. But we’ve been encouraged lately by the success in both the startup scene (Corvisa, Gener8tor, Rokkincat) and by our peers in the Milwaukee-Madison area (Hold Security, MSI, JDA).

In our own experience, it’s kind of a badge of honor that we’re able to hold our own for three decades outside of the areas considered tech hubs. Today’s remote work demands and in-person security presentations have knocked down many of those physical hindrances. Plus, we have a solid sales and development teams in Ohio, London and New York City. 


« United Airlines chaos: Why did it happen?


CMO Files: Kerry Wright, Director of Marketing, Purple Wifi »
Dan Swinhoe

Dan is a journalist at CSO Online. Previously he was Senior Staff Writer at IDG Connect.

  • twt
  • twt
  • twt
  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?