Encrypting data kept in storage (data at rest) as well as data as it is being transported from one server to another (data in transit) has become a standard business practice.
Yet there remains a singular security gap in the way companies collect, store, access and analyze business data, both on premises and, especially, in the cloud.
Related article: Cloud providers take on security burden
To do a simple database search — or to complete more sophisticated tasks, such as data analytics — stored data must first be decrypted. Or put another way, encrypting data often breaks applications and application functionality further limiting its use and implementation. This creates a viable opportunity for an intruder lurking on a company’s network to steal the data in decrypted form.
Make no mistake, this is a profound exposure, one that has become increasingly worrisome as “digital transformation” accelerates and companies shift more data storage, software development and data analytics into the cloud.
The good news is that the commercialization of a long sought-after technology breakthrough that directly mitigates this singular risk is gaining traction in multiple forms. There is an emergence of new data protection and encryption capabilities that leverage different cryptographic techniques. Homomorphic encryption, secure multiparty compute (SMPC), and enclave computing are all solutions that have been recently released to market.
A Silicon Valley-based startup called Baffle is in the thick of this important development. I recently had the chance to sit down with Baffle’s co-founder and CEO Ameesh Divatia. For a drill down on our conversation, please listen to the accompanying podcast. The key takeaways:
Some context: Organizations today routinely encrypt data at rest, as well as data in transit. However, to actually encrypt data in use without breaking application functionality creates a significant business challenge. Further, protecting the data in memory and in use becomes more critical given the methods recently employed to steal data, and herein lies the worrisome security gap.
Enter homomorphic encryption, a computational methodology that has been hashed over for decades by math geniuses toiling in skunk works at a National Security Agency and in private research labs at places like IBM, Microsoft and Stanford. It wasn’t until 2008 that an IBM researcher name Craig Gentry came up with a way to perform mathematical operations on encrypted data without first having to decrypt the data — the first working example of homomorphic encryption.
However, Gentry’s early prototype required an inordinate amount of computing power. Advances came slowly, and it has only been in the past two to three years that researchers figured out how to overcome the computational hurdles. Jason Matheny, director of the Intelligence Advanced Research Projects Activity, told attendees at the Billington Cybersecurity Summit in March 2017 that it took “math magic” to put homomorphic encryption on the threshold of commercially viability.
Meanwhile, around 2015, Divatia, a serial entrepreneur with a penchant for solving very difficult enterprise problems, had some time on his hands. Divatia had previously led Lightwire Inc., a supplier of complementary metal-oxide-semiconductors, which Cisco acquired for $271 million. He followed that up with two other venture-funded startups: storage virtualization firm Aarohi Communications, acquired by Emulex Corporation for $39 million, and optical networking firm PipeLinks, also snapped up by Cisco for $126 million.
The burgeoning cybersecurity challenge, and, in particular, the nascent homomorphic encryption problem, caught Divitia’s eye. “The light bulb that went off was, ‘There has to be a way how we can actually do opaque computations of data,” Divatia told Last Watchdog. “So even if, or when, hackers get in they’d have a narrow threat surface to work with because the data is always encrypted, even when it is being processed.”
As he did thrice before, Divatia surrounded himself with subject matter experts and raised venture backing, some $10.5 million to date. Baffle launched in 2015 and rolled out its first product offerings, an advanced data protection service with homomorphic-like encryption properties. Baffle claims its solution has virtually no performance hit, and does not require applications to be re-written.
“We offer a very well-architected mechanism to allow data to be accessed without compromising the underlying data,” he says. “The vision we have is to create this platform where data producers and data processors can collaborate with each other without ever compromising the underlying processes.”
Baffle competes against newer companies like Enveil and Galois, as well as tech giants Oracle, Microsoft and IBM; and Netherlands-based Gemalto and France-based CryptoExperts, among others, are also in the mix.
While it is still very early, I’ve had discussions with cybersecurity experts and VC investors who strongly believe advanced encryption schemes are destined to be truly disruptive.
Shrinking attack surfaces
By design, it shrinks the attack surface for organizations increasingly dependent on cloud services, which will make compliance and regulation enforcement easier. Well-defended networks are the long-term solution to meeting a rising tide of state-imposed data security rules, such as those recently enacted in New York, Massachusetts, Vermont and Colorado.
What’s more, this week Europe’s revised General Data Protection Regulation (GDPR) rules take effect imposing steep penalties for data breaches, regardless of how a data breach occurs. “Privacy regulators now don’t care about how the data is protected, they just penalize you if you lose the data,” Divatia observes. “For the first time, GDPR has teeth and it is able to now really hurt the entities that lose data. Article 25 actually is very explicit about the fact that security has to be by design and by default.”
Meanwhile, the disclosure in early January of Meltdown and Spectre, the critical vulnerabilities that exist in just about all modern computer processing chips, put a spotlight on the exposure of data in a decrypted state. Meltdown and Spectre do precisely this at the microcode level, as data is being moved in and out of memory. For a drill down on this fresh, wide open attack surface see Last Watchdog’s news analysis piece on the coming wave of microcode flaws.
It will take Intel, AMD and ARM years to design and pervasively distribute the next generation of computing chips that eliminates this class of microcode flaws. Encrypting data in memory and in use gives companies a way to never have to decrypt any of their underlying data, mitigating the risk of data exposure via microcode flaws.
As Divatia puts it: “The only way to actually protect data is to protect it at the record level, because if you protect the data at the record level it doesn’t matter where the data ends up.”
Face it, the bad actors are already in, and if not, a single, simple mistake or misconfiguration opens the door. Data-centric protection baked in at a foundational level is part of the long run answer to making digital commerce as secure as it ought to be.
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/advanced-encryption-that-locks-down-underlying-data-arrives-to-support-digital-transformation/