Pervasive encryption that protects data not only in transit and at rest, but also in use, thus freeing companies from the fear of data breaches, has long been a dream of business leaders, IT teams and compliance professionals.
In 2023, those dreams may become a practical reality as a number of database and data security companies release software that will allow companies to keep data encrypted while still allowing common operations like search. Last year, for example, database technology provider MongoDB released a preview of its Queryable Encryption capability, which allows companies to search data records in “expressive” ways without the need to decrypt the data. And this week, data security firm Vaultree released a software development kit that will allow app developers to try out its “Data-in-Use Encryption” feature, which the company claims allows for more extensive operations on encrypted data.
The goal is to allow companies and their applications to efficiently access and search databases while preventing unauthorized users from ever deciphering sensitive information, said Ken White, director of security at MongoDB.
“What we hear a lot from customers are concerns about leaks, breaches and attacks on public cloud infrastructure, including privileged users, and so we’re focused on areas where we can add additional security controls and technical measures to limit for those who can see sensitively. data in real time,” he says. “[W]do you believe? [encryption-in-use] will continue to be an area with great potential for innovation, particularly for operational workloads.”
The technology promises to help organizations minimize the so-called “blast radius” when a network or system is compromised. Typically, breached businesses face forensic investigations, regulatory filings and fines, as well as the potential exposure of sensitive data and intellectual property. Encrypted data allows companies to avoid many of the devastating effects of a breach, but typically requires complex data architecture designs to ensure that plain text information is not inadvertently left insecure.
Many technology companies have tried to solve the problem and allow secure use of data by applications by expanding the use of encryption. In the 2010s, for example, Ionic Security aimed to encrypt all data in flight and allow access only to authorized users with special privileges. The company bought Twilio in 2021.
If the current crop of technologies succeeds where others have failed, companies may see significantly less risk in the event of a breach, said Ryan Lasmaili, CEO of Vaultree.
“We know that if there is a leak and the data is fully encrypted, it reduces the company’s risk immediately for regulatory compliance,” he says. “However, the GDPR does not now, for example, cover the encryption of data in use, as it has not yet been done to date.”
Avoiding Llamas at the Indy 500?
MongoDB’s Queryable Encryption encrypts database fields, meaning that information is cryptographically secure at all times, but still searchable. Information decryption keys are stored with each client, allowing only specific people and devices to decrypt sensitive fields. Even a database administrator cannot decrypt every field unless they have the appropriate keys.
Making the technology a reality is based on the research of small groups of academic cryptographers. Queryable Encryption, for example, grew out of the work of Brown University’s Seni Kamara and Tariq Moataz, who went on to found the startup Aroki Software, which was bought by MongoDB in 2021.
The goal of Queryable Encryption today is to deliver technology that can handle queries that are actually useful and make things easier for developers, MongoDB’s White said in a presentation at the USENIX ENIGMA conference in January. The key to it all is that the performance shouldn’t get in the way, he said.
“It should be sub-linear. the difference between 1,000 documents, a million, 5 million and 100 million documents, it should be sub-linear,” he said. “A lot of the academic work was done in a way that was super-linear, so it works great on 10 records, or 100, 1000, 5000, other than that, it’s a pain. And you can throw more processors at it, but you know, it’s like racing llamas in the Indy 500; there’s only so much you can do.”
Other technologies, such as fully homomorphic encryption (FHE), promise to allow a wider range of operations on encrypted data and have been extensively funded by the US Department of Defense. A team of Intel and Microsoft signed a multi-year research grant with the DoD in 2021 under the DARPA Data Protection in Virtual Environments (DPRIVE) program to build a hardware accelerator to speed up the notoriously processing-intensive FHE approaches. In January, Duality Technologies, another DPRIVE grantee, announced it had entered Phase 2 of that program to accelerate machine learning development on encoded data.
“Structural encryption, like most encryption schemes, protects data confidentiality, meaning that data is protected so that only people who have been approved to receive the data actually have access to that data,” says Duality Technologies. Chief Technology Officer Kurt Rohloff. “FHE also ensures data privacy, but allows more processing on the data without requiring decryption.”
More testing is needed
New encryption models and technologies usually require a marathon of testing and evaluation. MongoDB’s Queryable Encryption stems from academic research on structured encryption, with several articles describing the approach. FHE has had decades of research and open development. Vaultree’s Data-in-Use Encryption remains largely a black box, though CEO Lasmaili promises scholarly articles will follow.
In a blog about widespread encryption capabilities, cybersecurity firm Kaspersky warned that such technologies require a lot of oversight, as even small missteps can compromise systems’ security.
“This is a common problem in practical cryptography when information system developers are forced to create something that meets specific data encryption requirements,” the company said. “That ‘something’ is then often vulnerable because the development process has failed to take into account the latest scientific research.”
While cryptography in use can claim an early lead because it’s usable in its current state, FHE’s progress could benefit in the long run, especially since quantum computing could be the game changer. FHE continues to have functional and security advantages, especially in the post-quantum cryptography world, says Duality Technologies’ Rohloff.
“Fully homomorphic encryption allows for much more secure operations on it compared to general structural encryption,” he says. “Not all built-in encryption options [are] is immune to quantum computing attacks, but all fully homomorphic encryption schemes used are assumed to be immune to quantum computing attacks.”