By Byron V. Acohido
I recently learned that there is an acute limitation to otherwise empowering cloud storage and processing services, such as Amazon EC2, Google Cloud and Microsoft Azure. It has to do with the circumstances under which business data gets transported to, and stored in, cloud storage facilities.
Some context: Organizations today do a terrific job encrypting data kept in storage (data at rest) and also encrypting data as it is being transported to and from cloud storage facilities (data in transit.) However, to actually do a simple search, or otherwise access and massage this data when it is stored up in the cloud, both the query and the stored data must be decrypted. And herein lies the security shortfall.
Related article: Encryption shortfallsneed to be addressed
Taken at face value, this exposure might seem narrow. But, in fact, it is something cyber criminals already are focusing on. Law enforcement and intelligence agencies are aware that threat actors are lurking on the Dark Web patiently probing and waiting for opportunities to strike deep into cloud accounts to snatch data in a decrypted state.
Enter something called ‘homomorphic encryption,’ an advanced form of cryptography developed over the past 10 years by math geeks toiling in skunk works at a National Security Agency and in private research labs at places like IBM and Microsoft. I recently had a chance to speak with one of these geniuses, Dr. Ellison Anne Williams, founder and CEO of a security startup, called Enveil, that is developing a homomorphic encryption system for commercial use.
Prior to joining Enveil a little over a year ago, Williams spent several years as an NSA scientist chiseling away at a practical version of homomorphic encryption, which she now is promoting for corporate use – with the NSA’s blessing. Some takeaways from our chat:
Game changer. In laymen’s terms, homomorphic encryption is a very advanced form of cryptography that allows you to perform operations on encrypted data as if it were plain text.
Homomorphic encryption, Williams asserts, is nothing short of a “Holy Grail.” The technology “enables people to be able to process data in its encrypted state out in the cloud, and so it changes the game.”
It took some of the smartest math minds on the planet several years to work it out, with the aid of advances in the computational capacities of computers. Waiting in the wings were company and government security experts who understood the cloud security gap; they’ve long anticipated what would be possible in a so-called “never decrypt’ business environment.
“Yeah absolutely, they are paying attention,” Williams told me. “One of the big reasons that some organizations have been hesitant to move out to the cloud is even though they can encrypt the data and put it out there, they can’t process it in its encrypted state, in any kind of effective way. So, essentially they can only use the cloud as a vault for encrypted data, instead of leveraging the full processing power of it. “
Immediate use cases. The NSA helped develop homomorphic encryption partly because it wanted to have a way to search encrypted travel and financial records, and telephone and email logs, without ever exposing the underlying data – personal information that belongs to the wider citizenry. That said, it is in the commercial arena where homomorphic encryption holds the potential to be truly disruptive.
It should help dramatically shrink the attack surface for organizations that are becoming increasingly dependent on cloud services. That alone will make complying with privacy and data handling regulations, such as New York state’s new cybersecurity rules for financial services firms and Europe’s General Data Protection Regulation considerably less onerous.
Under GDPR rules, for instance, if an entity has encrypted data that gets leaked, but it’s leaked only in encrypted form, then such an incident isn’t considered a breach. “It doesn’t have to be reported and therefore you don’t incur the large fines around GDPR, which are millions of Euros,” Williams observes. She anticipates that companies will quickly come to view homomorphic encryption as “an effective liability reducing technology.”
Other immediate use cases where homomorphic encryption has a clear role is in the mergers and acquisitions arena, where very high stakes research of encrypted data takes place, and holding cards very close is vital; and in the healthcare industry, which is in the midst of backing up personal health data in the cloud.
Blue sky benefits. I came away from my interview with Williams with the sense that she was being circumspect about potential blue sky benefits that could result from eliminating the cloud services security gap. Collection of behavior profiling data from buildings, vehicles and even articles of clothing is going through the roof. Having a path to mine this data, without decrypting it, could stir innovation of consumer goods and services, without trampling individual privacy.
Thinking blue sky, I can envision how a “never decrypt’ approach, now made possible by commercial-grade homomorphic encryption, could contribute broadly to the greater public good. It occurred to me that medical researchers, for instance, might be able to query HIPAA-protected records to triangulate disease trends and pursue medical breakthroughs. It will be fascinating to revisit this in five years.
For a deeper drill down on my conversation with Williams, please give a listen to the accompanying podcast.
(Editor’s note: Last Watchdog has supplied consulting services to Enveil.)
