Tozny, a Portland, Oregon startup that wants to help companies more easily incorporate encryption into their programs and processes, introduced TozID today. It is an identity and access control tool that can work independently or in conjunction with the company’s other encryption tools.
“Basically we have a Security as a Service platform, and it’s designed to help developers and IT departments add defense in depth by [combining] centralized user management with an end-to-end encryption platform,” Tozny CEO and founder Isaac Potoczny-Jones told TechCrunch.
The company is introducing an identity and access solution today with the hope of moving beyond its core developer and government audience to a broader enterprise customer base.
Under the hood, TozID uses standards identity constructs like single sign-on, SAML and OpenID, and can plug into any existing identity framework, but the key here is that it’s encryption-based and uses Zero Knowledge identification. This allows a user (or application) to control information with a password, while reducing the risk of sharing data because Tozny does not store passwords or send them over the network.
In this tool, the password acts as the encryption key, which enables users or applications to control access to data in a very granular way, only unlocking information for people or applications they want to be able to access that information — and nobody else.
As Potoczny-Jones points out, this can be as simple as one-to-one communication in an encrypted messaging app, but it can be more complex at the application layer, depending on how it’s set up. “It’s really powerful to have a user make that decision, but that’s not the only use case. There are many different ways to enable who gets access to data, and this tool enforces those kinds of decisions with encryption,” he explained.
Regardless of how this is implemented, the user never has to understand encryption, or even know that encryption is in play in the application. All they need to do is enter a password as they always have, and Tozny deals with the complex parts under the hood, using standard open source encryption algorithms.
The company also has a data privacy tool geared towards developers to build in end-to-end encryption into applications, whether that’s web, mobile, server and so forth. Developers can use the Tozny SDK to add encryption to their applications without a lot of encryption knowledge.
The company has been around since 2013 and hasn’t taken any private investment. Instead, it has developed an encryption toolkit for government agencies, including NIST and DARPA, that has acted as a de facto kind funding mechanism.
“This is an open source toolkit on the client side, so that folks can vet it for security — cryptographers like that — and on the server side it’s a SaaS-type platform,” he said. The latter is how the company makes money, by selling the service.
“Our goal really here is to bring the kind of cybersecurity that we’ve been building for government agencies into the commercial market, so this is really work on our side to try to, you might say, bring it down market as the threat landscape moves up market,” he said.