bayun.dev

Build “Zero Liability” Products

Integrate Privacy into your products instantly with E2EE++ - and get Zero-Trust++ Security for your enterprise customers easily.

Secure your customers by enabling them to take full control of their data and eliminate liability (instead of transferring it to somebody else) using Bayun’s simple-to-integrate DigiLockbox™ solution.

As pointed out by Prof. Madnick from MIT in his recent studies, data breaches have become a global epidemic, threatening user data the world over. And proper use of end-to-end encryption (E2EE), like that being adopted by Apple is the most effective vaccine to get ourselves out of it. Moreover, the current AI wave is also driving a heightened interest in user data privacy. No wonder that Apple itself is extending their lead in user data privacy from E2EE to Apple Intelligence as well.

DigiLockbox builds upon the principles of Apple’s iCloud Keychain security model, encrypting all data and putting users in charge of their own data. It creates a virtual secure lockbox for each user (within minutes of development effort), that is secure yet conveniently accessible from secure enclaves of trusted devices only. It manages multi-factor authorization (not authentication), that cannot be surpassed, for enforcing arbitrary access policies; and is immune to brute force attacks, phishing attacks, MITM attacks, privilege misuse and even software/system vulnerabilities.

So even if the entire server infrastructure of an application were to be taken over by a malicious entity (including the authentication system), all users' data still stays safe. On the other hand, if a thief has stolen a user's password (e.g. through a phishing attack) and also gained access to the user's email account as well as SMS, even then that user's account stays protected. Conversely, we can also enable secure account recovery in case a user has forgotten their own password, in spite of the fact that the user data is kept end-to-end encrypted with no access for the server!.

Overview

Overview Presentation

A high-level Overview of Bayun, and why this new model is necessary to protect user data from never-ending breaches.

Demos with Technical Details

Demos of Bayun showcasing different aspects of the SDK, and details on how the underlying technology works.

Privacy & Security

E2EE ++

Zero - Trust ++

ZeroTrust typically means not trusting a network or a particular domain the user/service is coming from in order to enforce access control on data. Bayun’s DigiLockbox takes the Zero-Trust model to its ultimate extreme with trustless enforcement of policies at the data level, where even no server-side code needs to be trusted for enforcing access control. This ensures that even if all server-side infrastructure of an application and its associated services (e.g. authentication system) were to be compromised and/or privileged admins were to become malicious, no damage can be done.

Learn More

Today's Challenges

Your employees can access your customer data, creating liability for you

If any of your employees can access customer data, so can hackers (by exploiting vulnerabilities in software systems).

You and your customers are relying on trusted software systems to enforce access controls, which can be exploited through vulnerabilities, mis-configurations, or mis-use.

You have Security controls, you have Privacy controls; but data ownership is still a challenge because you can’t differentiate good guys from bad guys. So the best way to transfer ownership and full control of data to customers and become a data processor alone, is to lose unnecessary access for the good guys as well.

Securing your customers’ data in a perimeter-less world is difficult even with Zero-trust

Forrester’s Zero-trust model (and most implementations of it) is not truly Zero trust in the sense that it still relies on trusted software and services to do the verification of users/applications/micro-services before allowing access to data. The fact that authentication (to validate identity of the user) and authorization (to check access policy for the identified user) are separate layers still leaves big glaring holes in the overall model.

Data can be anywhere and everywhere, so protecting something around data doesn’t work any more. Most security technologies of today rely on creating a secure environment around data to keep it safe, rather than protecting the data at its core. It is necessary to protect the data itself, no matter where it goes.

Today’s encryption model with separate Data at Rest and Data In Transit encryption is insufficient

Today’s best-in-class encryption models use separate domain-specific keys for encrypting the data. This is not good enough - even if we include Data in Use encryption. There are vulnerabilities at the boundaries of different domains. That’s why no matter what we do, breaches keep happening.

Even so called end-to-end encryption, as implemented by the likes of Signal, WhatsApp, etc is also not truly end-to-end. It protects the user data from the sender’s device to the recipient’s device only, and not for the entire lifecycle of user data.

Compliance solves yesterday’s problems

Not even today’s, let alone tomorrow’s. That is why it has always been a cat and mouse chase between hackers and security products, running in circles forever. This vicious cycle needs to be ended by solving tomorrow’s problem today, and forever.

A lot of compliance and security solutions of today work by simply transferring the liability of sensitive user data to yet another trusted service promising better security and privacy with tighter controls. However this process of dumping the monkey onto somebody else’s back, and declaring victory, has been followed in the security industry for ages, but it has not worked so far in the long run, and never will. As soon as a reasonable amount of liability has been accumulated by this separate trusted service, there is sufficient reward available now for hackers and thieves to spend significantly higher effort to break into this new honeypot. And the game continues onwards and upwards. We need to eliminate liability rather than transferring it to somebody else. And since Apple owns their entire ecosystem, with some of the most sensitive user data that they need to protect at scale, they can’t easily dump the monkey onto somebody else’s back; and have no choice but to solve the problem holistically. Hence we need to learn from their experience, and look for holistic solutions to our security & privacy problems that will survive the test of time.

Increased security usually leads to harder deployment/management and decreased usability

If usability gets sacrificed for users and/or developers, or enterprise admins, the solution doesn’t see much adoption, or else starts getting used in sub-optimal ways for convenience, defeating the whole purpose of adding security.

We need a model similar to Apple’s iCloud Keychain, which keeps a user’s credit-card numbers and passwords secure (typically the most sensitive data that any user has), and available for use in various services like Apple Pay, Website logins, App authentication, etc. It provides the best privacy and security, and yet is easy to use. Otherwise, without the desired usability, the increased security is usually not worth it.

Bayun’s Value Proposition

Encrypt with “Zero Liability”, using ZeroTrust++

Bayun relinquishes the service-provider from liability because none of your employees have access to any sensitive customer data. If you don’t have access to customer data, you are not liable during any breaches (and neither is anyone else), as customers themselves have full control over access to their data even if it has been stolen. Note that your company can still choose to keep limited customer data for analytics, etc., after anonymizing it, such that no sensitive PII information is available to any employee of your company, even though your customers themselves will still stay in full control of all their data that is hosted by your service.

With arbitrary access policies tied into encryption, such that authentication and authorization are now enforced by encryption itself, rather than two separate steps with each requiring trusted software for verification; Bayun enables truly Zero Trust or trustless setup, or rather ZeroTrust++.

Bayun protects user data for its entire lifecycle - from creation to consumption, or essentially from cradle to grave, and not just from device to device. Hence it is truly E2EE, or rather E2EE++.

Due to its trustless nature, the service-provider is not simply transferring its liability to yet another trusted service that promises to enforce better controls (the usual technique used in the security industry to throw the monkey onto somebody else’s back). The liability is being completely eliminated in this case with data control being handed back to the data owners, like it always should have been.

A user-keyed Bank Vault with full privacy

Make your key infrastructure a true bank vault with a personal key deposit box controlled by each customer, making your SaaS solution even more secure and private than an on-prem solution deployed and managed by the customer themselves. Even on-prem solutions cannot technically enforce a level of privacy where only certain individuals in the company (e.g. just the CEO and Board of Directors) should have access to certain privileged content stored digitally on some servers for collaboration, and even no IT admins who have administrative control over those servers should be able to access such content. Bayun’s model of E2EE is the only solution that can make a use-case like this technically feasible.

Each of your customers, or rather each employee of your customers, has their own digital version of a bank’s personal safe deposit box with their own key (Bayun’s DigiLockbox). Even a bank manager can’t access this customer safe deposit box without the customer themselves getting involved, let alone a thief or hacker.

Flexible & powerful controls for your enterprise / institutional customers

When an enterprise company or an institution is using your application or service, their employees are acting as agents to create / modify / consume data on behalf of their employer, and the real ownership of data belongs to the company (in fact in some scenarios, it could even be downstream customers of that institution who are ultimate owners of the data). Bayun provides the ability to exercise full-featured controls for these enterprise customers, with arbitrary enterprise access policies that can be tied into encryption. These policies can also be updated (only by an existing member of authorized policy) without having to touch the encrypted data itself. This enables the enterprise/institutional customers of your service to have full and exclusive control of their data, with this company data being effectively “loaned” to their employees for access. The company can even revoke access to any employee at any point of time with proper controls. In fact your customer company is the one that controls access to this data even for law enforcement purposes as well (either directly or indirectly), irrespective of where the data is actually sitting.

In the event some employee of an enterprise/institutional customer gets hit by a bus, or say a disgruntled employee departs - without voluntarily handing-over control of company assets; the company can securely transfer departed employee’s data to another employee through proper controls that are cryptographically enforced (once again, without having to trust any server-side code). We believe that such controls are absolutely necessary in an enterprise environment in order to protect the company from these unfortunate events. And this needs to be done in such a manner that it does not become a weak point in the entire chain, which can be exploited by a hacked or malicious admin account through privilege escalation or misuse. However, with end-to-end encryption of data, this kind of backdoor functionality is extremely hard to implement correctly, and most of the other implementations of E2EE do not offer it today. Bayun’s DigiLockbox has this functionality built-in, as it was designed from ground-up with enterprise and institutional use in mind, rather than for consumer use only.

User Experience that works (with passwordless authentication), even for Crypto Wallets!

Bayun’s solution provides a usage model similar to iCloud Keychain - with the best security & privacy built-in, without sacrificing usability. If usability gets sacrificed, either the solution doesn’t see much adoption or it starts getting used in sub-optimal ways for convenience, defeating the whole purpose of adding security and making the solution even more vulnerable. For example, the current security issues being faced in crypto-space across not only the hot wallets (which are supposed to be convenient, though not as secure), but even cold wallets as well (which are supposed to be very secure if used correctly, though the inconvenience still makes them not only unpopular but highly vulnerable, making them arguably even less secure for most people than some of the hot wallets). Given the recent press on crypto accounts being hacked even with 2 and 3 factor authentication, no wonder that the amount of token value being lost is very high. DigiLockbox is the perfect developer-focused solution for this problem, as it lets wallet providers in Crypto/NFT space create a user wallet experience that is more convenient than an online wallet and yet more secure than even a hardware wallet. Considering that DigiLockbox can keep crypto-currency tokens and high-value NFTs safe for individual users as well as institutions (both institutional investors and enterprises), it can easily keep any data assets safe!

Bayun generalizes iCloud Keychain model to work across all use-cases, especially in enterprise environments, where data needs to be accessible by multiple entities (users and/or services), with arbitrary access policies that can be changed without having to touch the data itself. Yet it is practically easy to deploy for application builders, as well as to manage for enterprise companies whose employees are creating/consuming the data. It is also simple to use for all users (developers, enterprises/institutions, employees or consumers), with Keychain like security, privacy and ease of use. It even includes a secure solution for user account recovery for service providers (both unassisted and assisted), which none of the other implementations of E2EE provide today, not even iCloud Keychain itself. So, for example, if a user forgets their iCloud account password or doesn't remember any of their device PINs, they lose access to their keychain data forever. This is not acceptable in many scenarios, e.g. in case of a crypto-currency wallet which could hold a large amount of token-value. Bayun’s solution has a built-in mechanism to enable user account recovery in such scenarios under service-provider control, without it becoming a security loophole in itself for the user or the service-provider. For users of applications themselves, there is little change in user-experience.

By tying together authentication as well as authorization into data encryption itself, and using local device’s secure storage for keeping user’s personal encryption keys protected with biometrics (what-ever is available and configured on the device - fingerprint, face ID, or device PIN), Bayun’s SDK can be used to provide a password less authentication & authorization experience to users. This considerably simplifies the user experience, despite providing far superior security (again similar to Keychain itself). Note that passwordless authentication is a recent phenomenon that tries to simplify the user experience for applications by not using passwords for login/auth. However all these solutions simplify the user experience but still require trust in the underlying authentication servers (as well as authorization logic), and hence do not even come close to the level of security and privacy provided by Bayun’s solution. So effectively, Bayun’s solution not only simplifies the user experience with password less auth by securely using user’s personal key on the device, but also makes it Zero-Trust++ by tying authorization logic into the same key for unlocking the data.

Instant Application Integration with minimal cost

Bayun’s solution creates the easiest possible mechanism that is technically feasible for developers to add built-in security to any application.

No need to build it yourself to simply chase compliance and solve yesterday’s problems. Get ahead of compliance instead and solve tomorrow’s problems today.

Option to start even simpler by integrating with password-less authentication alone, improving the user-experience first with improved authentication security itself, and expand later with deeper integration of encryption to get the best available data authorization security and privacy for you as well as your customers. No other password-less authentication solution provides such an easy upgrade path, or for that matter any upgrade path, towards zero-liability using end-to-end encryption and beyond.

See how BAYUN can help to Secure you and your Customers

Quoting Prof. Madnick again, the best way to protect user data for any application or service is to retain as little of it as is necessary and, more importantly, what-ever data is stored should be protected using the strongest version of end-to-end encryption techniques where it can only be decrypted by the data owners. It is for this very reason, that some of the leading SaaS vendors have spent years building and honing the end-to-end-encryption technologies, which enables them to differentiate and compete in today’s fast-emerging privacy-focused environment, and maintain the ultimately best possible security for themselves and their customers. Most of them have built this technology in-house, from scratch, for their own specific use-cases, e.g. Zoom (through Keybase acquisition), Skiff (now part of Notion), ProtonMail , TigerText , Signal and WhatsApp , Dashlane and 1Password , and most-importantly iCloud Keychain

Bayun’s DigiLockbox technology enables any software vendor to quickly integrate E2EE into your products within days (instead of spending years building it in-house), including the ability to provide complete enterprise controls to your customers (e.g. ability to securely transfer control of E2E encrypted data on departure of a disgruntled employee) - something that is necessary in an enterprise environment, or any other use-case where stakes can be high (e.g. in crypto-wallets); but not provided by any of these existing products. Bayun SDK’s password-less auth makes it possible to start with improved user-experience for your customers first, and roll out data encryption in stages to get on par with, or rather get ahead of, most other solutions providing E2EE.

Product Whitepaper

Please enter your email address to receive Bayun's DigiLockbox whitepaper via email.

Email*

First Name

Last Name

Company

Phone Number

Product Version Interest

Interested in AWS S3?

Application to be Used by

App Audience

Message (if any)