Home » Cybersecurity » SBN News » NEW TECH: Breakthrough ‘homomorphic-like’ encryption protects data in-use, without penalties

NEW TECH: Breakthrough ‘homomorphic-like’ encryption protects data in-use, without penalties

by bacohido on September 30, 2019

Homomorphic encryption has long been something of a Holy Grail in cryptography.

For decades, some of our smartest mathematicians and computer scientists have struggled to derive a third way to keep data encrypted — not just the two classical ways, at rest and in transit.

The truly astounding feat, aka homomorphic encryption, would be to keep data encrypted while it is being actively used by an application to run computations. Cryptographically speaking, this is the equivalent of moving the Himalayas, not just Mt. Everest.

There is an esoteric two-horse race that a small circle of folks in the cybersecurity and venture capital communities are riveted on. The stakes couldn’t be higher. It’s a race to deliver a commercially-viable homomorphic encryption tool – something that’s going to be needed if we are to vault into higher tiers of digital innovation.

Galloping along the rail, Google, Intel and Microsoft are leading a methodical effort to come up with consensus homomorphic encryption standards, even as a handful of VC-backed startups are hustling to overcome limitations in current working versions of their prototype tools.

Charging hard from post position no. 2, another group of start-ups, flush with VC cash, is gaining ground with “homomorphic-like” technologies they claim have the same benefits as the purely homomorphic tools, but none of the performance penalties.

A prominent member of this latter group is Mountain View, CA-based Fortanix, which has attracted $31 million in VC backing and grown to 60 employees since its launch in June 2017. Having written a few stories on homomorphic encryption, I was eager to meet with Fortanix co-founder and CEO Ambuj Kumar at Black Hat 2019. For a full drill down on our wide-ranging discussion, please give a listen to the accompanying podcast. Here are the key takeaways:

Runtime in focus

You might well ask yourself: why is keeping data encrypted while an application is using a data set so vital to the future of computing? It’s because elite threat actors already possess the ability to insinuate themselves deep inside of company networks and launch stealthy, quick-strike attacks – in memory, during runtime.

Runtime refers to the period of time between opening a software program and quitting, or closing, it. During runtime, pieces of the application get loaded into the RAM (random access memory) of the computing device’s CPU (central processing unit) allowing the app to do its thing.

Runtime is foundational to our digital world. Looking ahead, runtime will remain an integral part of any advancements made in cloud computing and machine learning. We’re moving toward a day when organizations will be able to partner and collaborate on several levels in the cloud; one company might gather and store a rich data set, several partners might run proprietary computations on the data set, and yet another vendor might supply the infrastructure.

However, to get to those payoffs, runtime cybersecurity exposures must first be addressed.

The power of ‘never decrypt’

Homomorphic encryption is a very advanced form of cryptography that allows you to perform operations on encrypted data as if it were plain text. The data never actually gets decrypted. This capability could blow the doors of digital commerce wide open – but it is extremely difficult to pull off.

Mathematicians and computer scientists spent decades theorizing about a “never decrypt” scenario. Then in 2008 an IBM researcher named Craig Gentry came up with the first working example of homomorphic encryption. Gentry’s prototype consumed vast amounts of processing power. Even so, he sparked interest in a commercial future for his breakthrough.

IBM, Microsoft and Stanford stepped up private research. And the National Security Agency developed a tool to search encrypted travel and financial records, and telephone and email logs, without ever exposing the underlying data, which would have constituted privacy invasion.

Soon venture capitalists began recruiting researchers to develop a commercial tool. They foresaw early adopter use cases of a homomorphic encryption tool in the mergers and acquisitions arena, where very high stakes research of encrypted data takes place, and in healthcare, to help migrate health records into cloud storage. Longer range, investors envisioned homomorphic encryption someday enabled secure autonomous transportation systems, smart cities and other Utopian innovations.

Skin-the-cat alternatives

Kumar

The technology did steadily improve. Yet, the homomorphic prototypes on the market today can be cumbersome to implement and limited in functionality, Kumar told me. “Homomorphic encryption is still very theoretical at this point,” Kumar says. “It can only do very simple applications, and it’s very slow and not really practical.”

In technology, as in life, there almost always is another way to skin the cat. Enter “homomorphic-like” technologies. Secure multiparty compute (SMPC), and enclave computing have emerged as alternative approaches to keeping data encrypted while in use by an application. Fortanix has been making hay as a supplier of the latter, enclaves, in a way that accomplishes much of what homomorphic encryption does, Kumar says.

Consider that elite threat actors – the ones pulling of advanced APT hacks – are expert at lurking deep inside of networks; they can very efficiently and elusively carry out all manner of malicious activity by tapping into the OS memory, during runtime, when an application is accessing data in decrypted form, he noted.

“Once they’re on your network, they figure out where your sensitive applications are running, they go on those machines, then they basically see what sensitive data is there and they steal the data,” Kumar says.

Application immunity

Fortanix’s innovation leverages Runtime Encryption® technology, powered by Intel® SGX which is both a partner and an investor in the company, to create an enclave around mission-critical applications. An enclave very strictly limits internal access to the application; access to any data used by the app — during runtime – is severely and rigidly restricted.

“We said, ‘let’s give immunity to the application” Kumar told me. “The application runs in a very, very secure virtualized environment, so even if your root user is compromised, or your operating system is compromised, or even if there are bugs that you don’t know about, or bugs you have not patched, attackers cannot steal data from your application because your application is, in effect, running encrypted all of the time.”

Fortanix appears to be doing something right. It had little trouble raising $8 million in Series A funding, followed by $23 million in a Series B round earlier this year. Besides Intel, it has secured partnerships with data center giant Equinix and Chinese search and cloud services giant Alibaba.

Cloud services vendor Elastx gave this testimonial praising the efficacy of Fortanix’s solution. What’s more, the company won “cool vendor” accolades from Gartner and was named it a runner-up in the RSA Innovation Sandbox for “most innovative startup” at RSA 2018.

“Our customers are people who want to use infrastructure to do more and more things, and to do that they need to deal with runtime exposures,” Kumar says. “Our mission is to solve cloud security and privacy. We understand that we need to continuously increase the capability of Runtime Encryption® and continuously up our game.”

It’s encouraging to seeing startups like Fortanix pushing the cart forward like this. Any success suppliers of homomorphic-like tools earn is sure to keep the lead horse galloping at top effort. Maybe both horses will smell the roses. I’ll keep watch.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)