Blogs

Key Management Is 90% of the Problem

The world's top cryptographers lost their own election key. Here's why key management, not encryption algorithms, is where the practical problems lie.

AI Is Eating Your Data

Tech companies hoard your data and AI is hungry for more. Here's how encrypted search and privacy-enhancing tech are fighting back.

Seald's U.S. Shutdown: Migration Options

Seald's U.S. shutdown came with little notice, while its European customers get 'alpha' status with no support. Here's a comparison with a better option.

AI Coding Agents: Our Privacy Line in the Sand

How IronCore draws the line on AI coding agents: our policies for protecting customer data, secrets, and source code while still leveraging AI's power.

One Unchecked Box, One Billion Records: The Human Error Problem

One unchecked authentication box exposed 1 billion Chinese police records. Studies show human error is rising as a cause of breaches. Here's how you can survive mistakes.

Illuminating the Dark Corners of AI (annotated presentation)

Full annotated transcript of my DEF CON 33 presentation on exploiting shadow data in AI models and embeddings. Learn how attackers extract training data, system prompts, and private information from vectors, plus practical defenses.

MCP Servers Are Electric

MCP servers promise magic, but one prompt can blow up your GitHub, Salesforce, or entire stack. Here's why LLM integrations are far more dangerous than vendors admit.

Privacy-Preserving AI: The Secret to Unlocking Enterprise Trust

Enterprises are blocking vendors from training AI on their private data. Learn how privacy-preserving tech like encrypted models can restore trust, win deals, and enable AI features.

The Terrifying Takeaways from the Massive OAuth Breach

Massive Salesforce, Google & Salesloft hacks expose OAuth risks. Learn why tokens are dangerous and how SaaS vendors are screwing up security.

IronCore Named a 'Cool Vendor in Data Security' by Gartner

IronCore Labs is a Gartner Cool Vendor in Data Security 2025 for its ability to encrypt large amounts of AI data.

The Rapid Evolution of Bank-Grade SaaS Security

Financial institutions are demanding SaaS vendors adopt application-layer encryption and hold-your-own-key solutions. Here's what's driving the increase in pressure.

When Randomness Backfires: Security Risks in AI

LLMs produce different results every time and sometimes those results are outliers that can be used by hackers to exploit systems.

Vector Encryption, AI, and the Slow Pace of Standards

Why DCPE may be the best option for securing AI data while NIST standards for privacy-preserving encryption remain years away.

Breaches Happen — But Data Theft Shouldn't

Major breaches expose the data of millions of people and all due to single failure points and a lack of security in depth.

Training AI Without Leaking Data

Learn how to protect sensitive data in AI training by using encrypted vector embeddings. This blog explores privacy risks in AI and presents secure methods like approximate-distance-comparison-preserving encryption to enable private, efficient machine learning without exposing personal or business information.

PCI v4 Now Mandates Application-layer Encryption

What's new in PCI v4 and what it means for protecting account holder data. Dives into the specific requirements and suggestions as well as the extra requirements directed at multi-tenant SaaS companies.

AI Security Risks Are Real -- Here's 12 Questions to Ask Your Software Vendor

Before trusting vendor's new AI feature, ask these 12 critical security questions to protect your data, prevent breaches, and ensure compliance.

10 Essential Security Steps Before Launching Your AI Feature

Stay ahead of threats like prompt injections, data leaks, and model manipulation with proactive measures every company should take before rolling out AI features.

OWASP's Updated Top 10 LLM Includes Vector and Embedding Weaknesses

OWASP released their second version of the Top 10 for LLM Applications, and it now includes vector and embedding weaknesses among other major new issues that go beyond the LLM model itself

Privacy Guide to Apple Intelligence with ChatGPT

Apple has done a lot to preserve privacy when you use their AI, but all of their privacy promises evaporate when you use Apple's ChatGPT integration.

Private Communications for Email and Text Messages

A checklist of things to do to better protect the privacy of your emails and text messages as a guard against hackers, surveillance capitalism, and overreaching and authoritarian governments.

Identity Theft Protection Checklist

A privacy checklist series covering what people should do to keep themselves safe online. This first part covers steps to take to prevent identity theft.

Build Your Own Application-Layer Encryption?

A discussion of how to design a system to use application-layer encryption and the non-obvious considerations that add complexity

Using MySQL's Built-in Encryption: A Terrible Idea

6 reasons to avoid MySQL's native encryption functions from bad cryptographic choices to terrible side effects, we explain why you should think twice.

Application-layer Encryption (ALE) Demo Using a Notes App

We walk through a demo using a notes app clone that's normal on the front end, but entirely encrypted in the backend including search and AI chat functionality.

How To Talk To The Business About AI Security Risks

Get budget to secure your AI systems and drive conversations with your vendors before AI insecurity bites you and your company.

Using Application-Layer Encryption to Restrict Insider Access

SaaS companies are often asked whether their employees, like their database admins, can see customer data. The answer is almost always yes. But it doesn't have to be. ALE provides stronger security guarantees.

Snowflake and AT&T Breaches Were Preventable With Application-layer Encryption

The attacks on Snowflake and the recent successful attack on AT&T customers via their Snowflake data lake shows yet again how major enterprises are failing to secure the data they hold and why application-layer encryption and security by default are so very important, though so often overlooked.

Analysis of Apple's New AI Private Compute Cloud

Apple announced they're adding OpenAI support to their devices, but they're going to run the large language models in a privacy-preserving way. We analyze their approach and break it down.

Securing AI: The Stack You Need to Protect Your GenAI Systems

We explore the different vendors that are producing solutions for GenAI security, group them into categories, look at which categories are necessary and when, and make recommendations on a professional, enterprise-grade secure AI stack.

The Encrypted Messenger Wars

The Telegram vs. Signal debate is a smokescreen for what really matters and while there's a clear winner in the debate, the thrown accusations are a losing proposition for us all.

Testing End-to-End Encryption Claims

Claiming end-to-end encryption is becoming commonplace, fortunately testing claims can be easy.

5 Things SaaS Companies Get Wrong with BYOK

BYOK or Bring Your Own Encryption gets interpreted in many different ways and delivered to customers many more ways yet. There are five ways that software providers often get it wrong when delivering BYOK to their customers.

There and Back Again: An Embedding Attack Journey

Reversing text embeddings is so easy, even your grandmother can do it. Encrypt them to avoid leaking all your sensitive data to the internet.

The Hidden Dangers of Face Embeddings: Unmasking the Privacy Risks

Is your facial recognition system leaking faces like a sieve? Yup. Can you stop it? Yes.

7 Predictions for 2024

The hype machine is in full swing, but our predictions ignore the baloney and focus on what's likely.

Forbes: AI Systems And Vector Databases Are Generating New Privacy Risks

With the right policies, questions and tools, organizations can take advantage of the transformative power of generative AI while also protecting sensitive customer data.

"Embeddings Aren't Human Readable" And Other Nonsense

The research and breakthroughs in embedding inversion attacks make it clear that embeddings are, in fact, reversible back into forms that are fully human readable.

Waitlist Now Open for New Encrypted AI Vector Embeddings Solution

Protecting the long term memory of AI is paramount as advanced capabilities become the norm.

Rethinking the broken complexity of cloud security

Modern infrastructure requires a modern approach to security by protecting what matters most: the data.

A Security Expert's Data Privacy Checklist

As a security professional, the top question I get is, "what do you do to protect your own privacy?" Here's what I recommend, along with a checklist at the end.

Top 3 Ways to Justify Encryption to the Business

How to explain the importance of data privacy and data security before introducing encryption in a conversation.

6 Predictions for Cybersecurity in 2023

The hype machine is in full swing, but our predictions ignore the boloney and focus on what's likely.

Product Showcase: Searchable Encryption in Elasticsearch and OpenSearch

Help Net Security spotlights Cloaked Search and what security personnel need to know.

Meta Amasses $1B In GDPR Fines and Still Undeterred... For Now

Meta has had a bad year with privacy violations and sloppy data security coming home to roost. How bad is it? Really bad.

OpenSearch Partner Highlight: Using Cloaked Search to Protect Your Data

The data in your OpenSearch indices can be a big security hole. IronCore's Cloaked Search can plug that hole without shutting down search on the data.

Forbes: How To Be Crypto-Agile Before Quantum Computing Upends The World

Change is coming to cryptography and some of that change will be extremely disruptive to the Internet and companies building software. Here's how to be ready.

How To Neutralize Toxic Data In Custom Fields

Custom fields are a mainstay in B2B software, but they are often abused by customers who store sensitive data in them. Encrypting these fields reduces risk from privacy and security failures.

Key Management R Hard

Providing advanced encryption to all your customers is a win-win.

Forbes: We're Living Through A Digital Privacy Catastrophe: It’s Past Time For A Serious Nationwide Privacy Law

Companies can do almost anything they want with our digital data, including selling it to the U.S. government.

How To Be Crypto-agile: Building Cryptographic Resiliency In The Age Of Quantum Computers

Crypto-agility is an approach that allows you to pivot quickly when post-quantum computing becomes a reality.

Forbes: The Rise Of Encryption In A Schrems II World

Companies can do almost anything they want with our digital data, including selling it to the U.S. government.

What You Need To Know About The New Trans-Atlantic Data Privacy Framework

How U.S. companies should think about this new proposed replacement for the EU-U.S. Privacy Shield Framework.

The Trouble With FIPS: Encryption Standards Need a Makeover

FIPS 140 sets the standard for cryptography used in the United States, but it's got problems. Because of FIPS, we all have problems.

Announcing Our Startup Program

Why It’s Important for Startups to Build Right From the Beginning

A Contrarian's 2022 Tech Predictions

Once again, we'll see a huge rift between the hype and what the press covers versus where the real momentum is building.

AppSec Fails and the Incredible Durability of Application Vulnerabilities

As companies mature, they often look to increase their application security. But more often than not, they ignore one critical piece.

Infographic: How to Get Started With Application-layer Encryption

Application-layer encryption (ALE) is the best way to keep the data you hold safe, but there are a lot of pitfalls to doing it yourself from scratch, which is why few companies have historically used ALE. Thankfully, that's changing as it becomes more accessible.

Solving Search Over Encrypted Data

Encrypting data turns it "dark", but data is most useful when you can find it. And that's where encrypted search comes in.

An Open Letter to Apple: Please, Please Replace Objective-C with Rust

Your iOS 15.1 update fixes 22 vulnerabilities. Thank you. But here’s the thing: of those twenty-two, at least sixteen of them were due to memory bugs.

A Checklist to Quickly Evaluate SaaS Security

You don't need extensive infosec reviews to gauge the relative maturity of a SaaS company's security. You just need their website.

Application-Layer Encryption Defined

It's a simple concept made complicated by security vendors. We dispel the fog of B.S. in this mini-blog.

The Lack of Security Layers in SaaS

SaaS apps are systemically under-protected with laughably few layers to prevent a catastrophic breach.

An Unpopular Opinion: Apple's CSAM Detection Is A Net Good

I don't agree with the "slippery slope" and "backdoor" arguments

How the Cyber Insurance Industry Can Stop Ransomware

Cyber Insurers can help the tech industry level-up their security. If they want to.

Why Your SaaS App Needs Better Encryption

You can't afford to have customer data leak

Evaluating Newly Proposed Privacy Regulations

New privacy laws are popping up like mushrooms here in the U.S., which we love to see. But it can be hard to tell whether these proposed laws are meaningful or not.

SaaS Security: How To Handle Sensitive Data

Why SaaS Companies Should Offer Customer Managed Keys

The New Economics of Holding Personal Data in 2021

Hidden penalties buried in CCPA will radically change the cost of the next big data breach.

What Ring Got Wrong With End-to-End Encryption

We'll dig into what they did, from usability through to the cryptographic choices they made.

Opinion: Huge cyberattack shows it's time to fix our failing cybersecurity infrastructure

We live in an age of asymmetric cyber warfare where even small teams of attackers have an advantage over large and well-funded defenders.

Infographic: The Customer Managed Keys Buyer's Guide

More and more enterprises are offering customer managed keys (CMK), but not all CMK are created equal. This infographic compares CMK available from different companies.

Privacy Was On The Ballot

The voters have spoken and they want laws protecting their privacy. Four states made progress this cycle.

Free Tool for Startups Getting SOC 2 Certified

IronCore Labs' team developed a SOC 2 internal dashboard tool that's available for public use.

How to Handle EU Data Without the EU-US Privacy Shield Framework

Three Technical Approaches to Handling EU Data Without Privacy Shield

The Cloud Needs More Sunshine

Twitter is just the most recent reminder of how broken the cloud remains

New Ways to Address Modern Privacy Challenges

An IronCore Labs Product Update

Rally Software Leads the Industry in Data Privacy With Customer Managed Keys

Customers want data control, and with IronCore Labs, that's what Rally offers

Deidentifying Data: The Fool's Trap

Re-identification is trivial by joining other data sets

SaaS Trust Models for Security and Data Privacy

You can't compare the privacy of SaaS offerings until you understand their trust model.

Insights From Slack and Salesforce: Grow Your SaaS With Premium Data Privacy

Early adopters of premium data privacy are doing well. Here's one reason why.

Warning: SaaS Privacy Debt Will Crush Your Roadmap

An open letter on why kicking the can down the road is catastrophic for the future of software

How SaaS Companies Avoid Compelled Access With Encryption

A Look at Trust, Corporate Data, Government Prying, and Practical Defenses

Welcome to the Revolving Door of Personal Data

Why Clearview AI even exists: U.S. government sells data to industry and then buys it back using a warrantless search loophole

Highlights From Real World Crypto 2020

Things that made us go, "hmmmmmm"

Agile Approaches to Privacy and Security for SaaS Vendors

Highlights From the Agile Amped Podcast With Rob Pinna and Leslie Morse

IronHide: Better Team Encryption

A few months ago, we quietly released a little utility that brings the power of proxy re-encryption to the command line. Proxy…

Military Grade Encryption

And other security marketing bullshit

CCPA: What You Need to Know

The California Consumer Privacy Act takes effect on January 1st, 2020. If you're a dev or work for a software company, this affects you.

IronCore Is Now SOC 2 Certified

We are proud to announce that we have successfully completed the Service Organization Control audit known as SOC 2 Type 1. SOC 2 is a…

Policy-Based Client-Side Encryption in Angular

And How To Fix It

DoD's Distributed Data Problem

And How To Fix It

IronCore Labs Proxy Re-Encryption Library Audit by NCC Group

We believe there's a right way to do things. With cryptography, that's even more important than almost any other area of software, save…

IronCore's Privacy Platform Helps Developers Unlock Enterprise Sales

Today, security and privacy scandals flood the news, and customers are demanding to know who can access their data, who that data is shared…

Mastering Emotion in Marketing Copy

A tale of three books with an unexpected intersection

How Not To Handle a Breach

Equifax Shows the Way

Audit Your S3 Storage Immediately

A Quick and Dirty Guide

The Proliferation of Under-protected OAuth Tokens

The Hidden Cost of Cloud Management Services and Integrations

Announcing "Customer-Controlled Data"

A big step for Customer Managed Keys and a giant leap forward for cloud software

How the 4th Amendment Is Bypassed

The U.S. Constitution doesn't pull any punches. The Government does not have the right to sift through the communications or property of…

Baby Steps with NY's New Financial Cybersecurity Regs

Banks, insurance companies and other financial services companies in New York will soon be subject to new, stronger regulations around…

Quantum is the New Global Arms Race

China Takes the Lead

Bits, Banks and Burglars

What Happens When Digital Currency Is Stolen

The Worsening State of Application Security

At the Defcon conference last year, I was struck by the simplicity of most of the hacks that were being described. Five years ago, most of…

The Inevitable Demise of Perimeter Security

Computer security today follows classic real-world military approaches: make a perimeter; fortify that perimeter; ensure that only…