Georgia-based Social Fortress may have started out as a pet project to make communicating on Facebook more privacy-friendly, but over the past two years, its ambitions have grown considerably loftier.
After being bolstered by early positive feedback from players in the defense and information security industries, founder Adam Ghetti eventually settled on a new mission: to put control of people’s data back in their hands. After crafting the service for nearly two years, Social Fortress is finally opening up the doors to its consumer and enterprise early access programs here at TechCrunch Disrupt SF.
Social Fortress is a beast with many heads, but simply put it offers a way for both consumers and enterprise users to simplify how they access their important data — be it emails, Yammer messages, photos, tweets, or status updates — as well as let them manage who gets to access it by encrypting all that stuff as desired.
“In the old days controlling data meant you had to own and control all the devices, software, and credentials involved,” CTO/CEO Adam Ghetti explained. “Today, controlling all those factors is just impossible.”
The most conceptually simple part of Social Fortress’s feature set is its single sign-on component. When the Social Fortress browser plugin (only for Safari, Chrome, and Firefox — IE support is currently exclusive to the enterprise version) is installed, it takes note of that particular user/device pair being used and identifies people based off that combination and a password. If I were to give you my Social Fortress password for instance, it wouldn’t actually do you any good unless you had physical control over my machine.
The execution sounds pretty complex (mostly because it is), but the end result for users is a dead-simple sign-in process for any credentialed site that requires users to only punch in that single Social Fortress password. More importantly, once a user’s real login credentials for a particular service are stored in Social Fortress (see above), those details are never actually transmitted from device to server (or vice versa) so there’s no chance that a man-in-the-middle attack could reveal sensitive information.
The service does more than simplify credentialing though. With Social Fortress enabled (a one-click process), all of your content looks as you would normally expect it to. Turning it off however reveals what’s actually exactly stored on Facebook or Yammer’s servers — AES 256-encrypted gibberish that ensures that it remains a secret to everyone but trusted individuals that you either import from external sources (Facebook friends, email contacts) or set from directly within the Social Fortress backend.
Well, it’s not entirely gibberish — Social Fortress appends a bit of metadata to the end of each content snippet that makes it searchable using a service’s standard search system, a feature they’ve already filed a patent for. Social Fortress’s data protection component covers more than just text too, as images encrypted by the service are replaced with a bar code until approved users view it with the service enabled. Think of it as a security-focused version of the glasses from They Live.
How the encryption works is surprisingly neat — let’s say for the sake of example that you’re trying to post a secure message or photo to Facebook. After Social Fortress authenticates you, it generates a encryption key and ID for a new message or photo you want to post. From there, that key is used to encrypt the content in question while it’s still on the device, and the resulting secure output is what gets actually gets uploaded to the social network.
And those are just the features that Social Fortress plans to give away for free, though non-paying customers will only be able to encrypt a limited amount of data without shelling out cash. Paying users of the consumer or enterprise versions also get access to AutoDefender, which continually monitors credential changes for any registered sites or services and lets users change all of them in one fell swoop just to be safe. Naturally, enterprises looking to implement Social Fortress’s system will have to pay a bit more than you and me, but the team promises to keep the per-seat pricing model nice and simple.
In short, there’s plenty going on here. Skillful execution of even one of those features could make for a compelling product — Authy, LastPass, and Okta all tackle some of those individual security issues — but it’s Social Fortress’s sheer comprehensiveness that has endeared it to many in the information security community.
To date, Ghetti’s security venture has locked up just over $2 million in funding from major names in the infosec space — Christopher Klaus (founder of Internet Security Systems), Phil Dunkelberger (co-founder/former CEO of PGP Corporation) were among SF’s first investors. What’s more, Ghetti revealed to me that (another) PGP co-founder and former Forsyth EVP of sales Steve Abbott will be taking over as Social Fortress’s CEO, leaving Ghetti to devote more time to developing the product.
While Social Fortress offers its selection of security features to average folks like you and me, Social Fortress began to focus more on the enterprise sector during its time as part of Georgia Tech’s inaugural Flashpoint Accelerator class. Though the service began life purely as a one-off thing, Social Fortress’s current form wasn’t built in a vacuum — it counts three Fortune 100 companies (Ghetti couldn’t share exactly which ones, but two are financial institutions and the other deals with health care IT) among its initial set of partners.
The benefits for large organizations seem clear — it can link right in with existing services and legacy enterprise applications with too much futzing, and credentials for whole swaths of users can be easily managed from the service’s robust backend, and Social Fortress leans heavily on Dell’s recently-announced vCloud services to enable it to scale for organizations of varying sizes (that it has the backing of Dell’s Innovators Credit Fund probably doesn’t hurt its appeal). Then again, the setup and use of the service is simple enough for average folks to use too, so Social Fortress may well pick up fans on both sides of that divide.
What is your go-to-market strategy?
Currently strategy is to continue iterating the product inside early access partners, and will give away the password management and data management solutions free to all users.
You’re breaking Gmail search?
We still support search. The majority of the search process is still handled by Google or Yammer, but we append some mathematical metadata that can still be indexed by the service provider.
So people can view the content I’m sharing only if they have your client installed as well?
Correct, we’re like Acrobat Reader — you get it once and you never get it again.
This type of thing has been around email for years, and people don’t use it because it’s a change in user behavior, why do you think this is something people will actually use?
Because it’s our job to stay the hell out of your way, they have absolutely modified the user experience. We don’t. Enterprise users don’t even see it; IT deploys it.
You’re basically screwing with my Facebook newsfeed.
That is correct, as it stands today we do break a lot of the analytics algorithms. Some of the early pilots we’re looking at in the enterprise is we’re actually working with them to integrate aspects of our technology into their process.