Skip to main content

tiCrypt Principles

· 3 min read
Thomas Samant
Betuel Gag
Alin Dobra

1. Security First

  • Security is the top priority, and the architecture is designed with security as the central consideration.
  • A comprehensive approach to security is taken, going far beyond perimeter protection with Firewall, VPN, and intrusion detection systems.
  • Zero-trust is implemented using cryptography rather than solely relying on access control lists (ACLs).
  • The goal is to architect a complete solution rather than "patching" security vulnerabilities.
  • Features are only added if they do not compromise security.
  • There is no notion of public/unsecured data; explicit sharing is the only allowed method.
  • Default shut is favored over default open.
  • Public-key cryptography (PKC) is the core concept, with all security mechanisms based on PKC.
  • Password-based authentication is not used, and extensive use of cryptography is implemented.
  • End-to-end encryption is utilized, and each resource is independently protected.
  • Encryption keys are managed using PKC, and cryptographic isolation is enforced.

2. Separation of Duties

  • Admin power is decentralized uniformly throughout the system to prevent data breach entry points, even if an admin account is compromised.
  • Access control and end-to-end encryption are used together, with the addition of two-factor authentication (2FA) for enhanced security.
  • Extreme flexibility is provided in terms of operating system support (Windows and Linux), tooling support (AI + GPUs), and the full software stack.
  • The overhead for small and large projects is kept minimal.
  • Researchers are empowered to manage and control their data and workflows, decentralizing management and minimizing the role of admins.
  • Admins define mechanisms and monitor usage but have no access to user data.

3. Mechanism instead of policy

  • The focus is on enforcing behavior through mechanisms rather than relying solely on policies.
  • Mechanisms are designed to prevent and deter bad behavior, with system-enforced capabilities.
  • Automated system-enforced mechanisms reduce the risk of human error and ensure consistent adherence to security protocols.
  • Severely reduce the number of FTEs and "police" behavior responses.
  • Policies should only dictate the mechanisms used for enforcement.

4. Support diverse research workflows

  • tiCrypt supports diverse research workflows with Windows and Linux OS support, AI + GPU capabilities, and compatibility with various hardware devices.
  • It provides flexibility in deployment, allowing on-premises bare-metal servers, cloud deployment (AWS,Azure,Google Cloud,etc), hyper-converged solutions (Nutanix, RedHat,etc), and hybrid models (on prem+cloud).
  • Accommodate non-uniformity and "borrow" VM hosts from both cloud and HPC clusters.
  • Compatibility with existing security and infrastructure solutions such as Duo, Shibboleth, firewalls, and VPNs is ensured.

5. Detailed auditing

  • Auditing is fully integrated into the secure system, addressing compliance requirements directly.
  • Different projects may have specific auditing requirements, and the system caters to those needs.
  • tiCrypt solution includes an audit system that produces compliance reports, maintains a very detailed audit trail, and retains audit logs for the entire history of the system.
  • Reports allow audit pre-dictions of data behavior.


  • Partial success can be achieved with significant effort, but there may be system blind spots and limited supported workflows. tiCrypt is the result of a collaboration with University of Florida over ten years, designed to address all compliance and security needs, making it a proven security unicorn.
  • The three pillars of compliance include strong security, system enforcement, and comprehensive auditing and reporting.
  • All features are designed to meet the rigorous compliance standards of public institutions.