Google Vault Makes Play for Mobile Security Hardware Space

Google Project VaultLast week Google made a splash with its latest futuristic tech offering: Project Vault. In essence, this mini-computer on an SD card is designed to enable secure authentication, communications and data storage on your smartphone or laptop. So what exactly is going on here? After years experimenting with Android, has one of the world’s biggest software companies finally admitted hardware level security is the way forward? And if so, what are the implications for enterprise and consumers?

What is Vault?

First up, let’s be clear: Vault is very much a work in progress. How can we tell? Because it was demoed at Google’s I/O developer conference and the team responsible is the firm’s ATAP (Advanced Technology and Projects) group. As it is, the basic idea is a low-powered computer that can fit in a microSD card slot on your smartphone, laptop etc to make the device more secure. It runs a custom Real Time Operating System (RTOS), features and ARM-based processor, NFC and antenna and 4GB of “isolated” storage for your most sensitive data.

It offers the possibility of encrypted communications, improved authentication and more – which should be welcome in theory to all enterprise users, in a world increasingly dominated by sophisticated targeted attacks aimed at stealing personal information and sensitive IP.

Return to the future?

I find intriguing that in many ways this could foreshadow a return to the original computing paradigm: the pre-cloud world where end users stored all their data locally. With the internet and advances in computer power there came cloud computing, and companies like Facebook and Google which amassed their huge fortunes on storing your data on their servers – and selling it to the highest bidder. The logic was that they’d be able to take better care of it than you – after all, they have the resources and expertise to make the whole computing experience more powerful, efficient and secure.

But soon people started to realize that this wasn’t perhaps the best, most secure model around. Ever resourceful, cyber criminals became adept at finding and exploiting the weaknesses and the gaps in this system. I don’t think we can underestimate the significant of one the world’s largest cloud computing business offering us something which takes security back to the device and hardware level.

Our mobile devices are the key to this shifting trend. Why should we want to centralize our data – handing over our privacy and responsibility for security – with faceless corporations, if we can consume and create content just as well via networks of connected peers? I can see a point in the not-too-distant future where consumers and businesses begin take control back from the cloud.

In Google we trust – really?

So what can we say about Project Vault? Well, I’d argue that it’s great to see Google raising awareness about the need for hardware-level security solutions. As I’ve said many times before, the software security model is broken and we need to look down the stack to the silicon to rebuild trust among users. But can we trust something – albeit an open source project – developed by a company which still makes around 90% of its total revenue from advertising? A privacy-enhancing tool unveiled by a company which has done almost more than any other on the planet to whittle away personal privacy?

That’s not to mention Google’s patchy record when it comes to enterprise IT. Although it has made massive strides in this area, the impression among enterprise technology buyers, not entirely unjustified, is that it still doesn’t really “get” corporate IT. Can we trust it with something as important as mobile security? After all, the Android platform accounts for over 90% of malware and a string of design deficiencies has made it a nightmare for IT managers tasked with securing modern BYOD environments.

Is decoupling the security from the device with Vault an admission by Google of its failure in mobile security?

Then there are the details … or lack of them. One of the few things we know about the project is that it features an SD-card sized computer. But how many mobile devices today incorporate SD card slots? Apple certainly doesn’t. And Samsung has gone the same way with its flagship Galaxy S6 handset. More device makers might well follow as they aim to shave off vital millimeters in the quest for ever-sleeker models. It’s an intriguing move to say the least – even Google abandoned SD cards with its latter Nexus handsets. Perhaps there literally aren’t any other form factors to work with. At least the specific corporate customers Google is targeting initially should be able to dictate handset requirements for their end users.

Late to the game?

In fact, it’s not even really a fully functioning SD-card sized computer as yet. From what I saw of the product at the great reveal at I/O it required extra hardware to perform the video encryption trial. The truth is that sticking all that computing power into such a small form factor is pretty difficult to do. But more importantly, it has actually been done before.

CUPP Computing, one of the driving members of the plpl Foundation, designed a mobile security engine starting several years ago. It was an industry first in delivering encryption, secure communications, anti-malware, web reputation and app behavior analysis all from a microSD card. Project Vault doesn’t even yet include key components like IDS/IPS, firewall and so on. (Disclaimer: I am an advisor for CUPP Computing).

So is there a market for any of this stuff? Well, as you can probably imagine, Google wouldn’t be throwing its weight behind the project if it didn’t think there was. CUPP Computing interviewed hundreds of IT leaders in the US, UK, Germany, France and Japan to compile research on this a few months back. The results were overwhelmingly positive. In fact, 74% said they were extremely or quite interested in a SD-card sized security subsystem that could offer anti-malware, web reputation, firewall, and IDS/IPS.

You won’t be able to buy Project Vault anytime soon. And to be honest there isn’t anything hugely innovative in what Google is doing here. Apart from CUPP Computing’s mobile security engine there are a plethora of “vault”-type devices on the market from the likes of Koolspan, Secusmart and Go-Trust. In fact, there are so many that we could be in for a busy period of vendor consolidation and/or patent legal disputes.

It’s certainly great to see hardware-level security get another hefty dose of publicity. But is Google really the vendor to make the break-through in the enterprise market? We shall see.


Are you concerned about the security of your mobile device? Would you consider stronger hardware-level security for your personal data? Would you trust Google to protect your privacy? As always, I’d love to hear from you …

About Cesare Garlati
Co-Founder, Hex Five Security, Inc. - Chief Technologist prpl Foundation

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: