Security audited by a third party
The information security of Tosibox products, services, and operations are officially audited. The security audit was conducted by a global independent company according to the ISAE3000 Assurance Standard and the controls and content of the audit were based on the ISO 27001:2013 standard and the OpenSAMM Software Assurance Maturity Model. See the news article and press release for more information.
Secure by design
In the design of our products, we follow a set of fundamental principles that result in a superior level of security:
- Trust is based on physical matching – This unique process matches together, cryptographically, the physical TOSIBOX® devices, creating a trust relationship between them.
- We use two-factor authentication (2FA) in our products. It means that there are two different things required for the user to authenticate and get access:
- Something that the user has – the physical TOSIBOX® Key or a mobile device
- Something that the user knows – the password
- End-to-end encryption – The VPN connection is established directly between the TOSIBOX® devices and the data can be decrypted only at the connection end points (devices). Nobody – not even Tosibox Oy – can decrypt the data in between.
- Thanks to our patented connection method, the connection can be established even when both parties are behind firewalls or NATs. As a result, in TOSIBOX® devices there are no services that would be all the time listening or exposed to the Internet.
- Simplicity is good also for security. In addition to making our products secure, we have put a lot of effort on making them easy to use. With fewer things for users to remember and worry about, TOSIBOX® products are practically impossible to misconfigure.
- TOSIBOX® products have no backdoors and Tosibox Oy does NOT retain any private keys or passwords for the products. Our technical support can access the Lock only after the user has explicitly turned on the remote support feature.
- In our products we are using industry standard and proven technologies such as the RSA cryptosystem, AES encryption, Diffie–Hellman key exchange and TLS sessions.
See also the Tosibox Information Security white paper for a more detailed description on the security technologies, algorithms, and protocols that are used in TOSIBOX® products.