Australia is not renowned for producing homegrown security hardware, but Canberra-based company Penten is bringing to market a tiny device that promises big benefits, and significant cost savings, when it comes to secure wireless access to classified data and government networks.
As part of its national cyber security strategy, the government is seeking help give local industry a leg-up, and one of its key initiatives to aid the sector is the launch of the Australian Cyber Security Growth Network (ACSGN).
The ACSGN is part of the government’s $250 million Industry Growth Centres Initiative. The industry-led, not-for-profit organisation is intended to help Australian businesses increase their share of the estimated $100 billion global cyber security market.
In April, the AGSGN unveiled nation’s first Cyber Security Sector Competitiveness Plan, which “provides a roadmap to strengthen Australia’s cyber security industry and pave the way for a vibrant and innovative ecosystem,” the document states.
One of the companies celebrated as a local success story at the SCP’s launch was Penten. The company’s flagship offering is the AltoCrypt Stik: A diminutive USB-based device designed to deliver wireless access to government networks for individuals dealing with data subject to stringent security controls.
But although the Stik is a new product and Penten a relatively young company, the group behind it have significant pedigree in the information security industry, explained its CEO, Matthew Wilson.
The company’s founders were behind M5 Network Security, which in 2012 was purchased by Northrop Grumman, said Wilson — who helped found M5 and continued to run the business after it was acquired.
“I ran that business for Northrop for a couple of years,” Wilson said. “And then gradually we’d all served our time, so to speak, served our commitment to Northrop, and came out and realised there were still problems that we wanted to solve.”
“They weren’t exactly the same problems we were dealing with before; in fact, the very nature of cyber is there’s always new problems to solve,” the CEO said.
The end result was Penten. Prior to the AltoCrypt Stik, most of Penten’s work has been on custom security solutions for customers.
“A customer comes to us and says: ‘We need to understand this piece of technology; we have this problem that we’re trying to solve,’” Wilson explained.
“Most of the work that we’ve been doing has been solving very specific cyber problems — usually involving the confluence of software and hardware and usually in the mobile security space.”
“If anything is a clear specialisation of ours it is: How do we make information, specifically classified information, more valuable through making it mobile,” he added.
“In recent times there’s been a real focus on knowing that the quicker we can get that information to the people who need it, the more easily they’re going to be able to do their job,” Wilson said.
“There’s been a real a very big process worldwide trying to come up with solutions that solve those problems: Keeping those security controls in place, but still delivering the information through to individuals.”
The target market for the Stik comprises military and national security agencies in Australia, the UK and New Zealand.
Members of the Penten team helped build the existing solution employed by the Australian government within the M5 business. “What we’re looking at doing now is solving a very similar problem, but in a different way, and in a more ubiquitous way,” Wilson said.
Currently the solution used by government involves briefcase-style devices that are employed by intelligence officers who need to securely access a government network.
“It’s very difficult to help people understand why you can’t just use your mobile phone to access classified email,” Wilson said. “You need to look at ways of isolating devices from public networks.”
“That’s part of where the Stik comes in,” he explained. “It looks like one device, but in fact it’s multiple devices within it that are creating those separation points.”
The device integrates encryption, routers, and security appliances without the need for an external power pack or cables.
Customers came to Penten looking for an alternative to the briefcase-style devices — which are far from discreet, when travelling through an international airport, for example.
“That’s part of the process that got us to building the Stik, which is a small and discreet device that they can put in the pocket and doesn't look out of place in a laptop bag, but still delivers the same level of security and assurance as the large systems,” Wilson said.
He added: “That large briefcase system that everybody is using now is actual steps ahead of where we were 10 years ago — when we had an even larger briefcase and it came with a technician and only connected via ISDN or PSTN
The portability of the briefcase system, and the fact that on inspection it is pretty clearly a device for accessing classified networks, is only part of the issue, the CEO added.
“There’s another part of this as well: If you’re really trying to enable more people to have mobile access to data, the big briefcases are also quite expensive — so we’re trying to pull [these capabilities] down to a smaller device that’s much less expensive, and therefore allows more people to have that capability.”
The Stik costs about a tenth of what agencies are paying currently, he added.
“It's a pretty significant change,” Wilson said. The briefcase system includes multiple pieces of hardware that go through long accreditation cycles. “What we’ve been able to do is combine all of those devices into one device,” he said. There are also some key design choices that pave the way for a “very efficient accreditation process” for the Stik, he said.
The development of the Stik has been in conjunction with UK-based company Amiosec (the founders of Penten are also part of the founding group of Amiosec), and as a key step towards in-field use of the device, the companies have been seeking accreditation for the Stik in the UK.
“We’ve been seeking an accreditation path with GCHQ, through the [National Cyber Security Centre], which is the information assurance authority within the United Kingdom,” Wilson said.
The accreditation process in the UK is an “iterative and supportive” one, Wilson said, that “takes as long as it takes”.
“Once that’s done, we can forklift that accreditation and a local sponsor into the local information assurance accreditation authority in Australia [the Australian Signals Directorate] and begin an Australia accreditation process,” the CEO said. That process is expected to be a lot quicker because it will begin with the results of the UK accreditation process.
In Australia, the Stik has been used by prospective customers for trials, Wilson said.
“We've already sold devices but they’re prototype devices,” he explained. “Customers in the UK and Australia have already purchased devices and that’s really about supporting their own testing and evaluation processes, which have all been successful.”
Although the focus is on the complementary UK, Australia and New Zealand markets, Penten is exploring the possibilities open to it in the US.
The US tends to be “parochial purchasers” in the national security market, Wilson said, “but as we have done the UK, we’re actively engaged with a couple of US partners at the moment, looking at how we can enable them to create a US sovereign solution.”
Penten believes there is also potential to adapt come of the technology used in the Stik to “adjacent markets.”
The company recently signed a memorandum of understanding with a major Australian engineering services firm that is making a push in the defence market. Penten is looking at the potential to adapt a version of the Stik technology to support remote access into automation system networks.
“We’ve also just been meeting with a couple of financial institutions that are exploring ideas of supporting some of their high value customers with some different access solutions,” Wilson said.