The use of encryption has not really gone away. Headlines from the past seven days and the resulting hysteria have proved just how important the security of communications really is.
So are there drivers to use encryption, or even better forms of it? I recently met with Terence Spies, CTO of encryption provider Voltage Security, whilst he was visiting London for a conference on advanced cryptography.
He claimed that within the industry, the way that people in the research space realise that there is a requirement to use it as a security technology. “This has really started travelling up the management chain, so we get customer requests to work on internal analysis systems, and proliferation of the cloud has really pushed encryption up even more than five years ago,” he said.
“I see industry going through an education process in that people are getting smarter about how to employ encryption and tokenization as a way to reduce risks in Big Data and cloud environments and you will see risk reduction and an acceptance as encryption as a more mainstream thing.”
He said that in the new year, in the instance of a new user, the first people he talks to are those doing encryption as a service, as they figure that having every application driver trying to do an encryption strategy of their own is a disaster.
“If you are an application administrator, you want to make it work and run as well as you can,” he said. “So we go into companies and say we can offer an encryption architecture that will propagate throughout the organisation. As it is format-preserving encryption, basically the application developers are not going to rebel!”
Voltage has set its stall out on format-preserving encryption, especially as data analytics and security clash. Spies said that it is not unusual to go into a retailer and see banks of applications using data. The idea with format-preserving encryption is to keep it secure but accessible – encrypt it in such a way that it still looks like credit card data, so it turns a 16 digit number into a random 16 digit number.
Spies had previously said that format-preserving encryption was the first in a line of encryption technologies that allow you to perform computations on the data itself, but there are more things “in the lab” that are getting close too.
He said: “Think of a Hadoop cluster with a 1,000 machines, that is an awfully big security problem to manage and people want to use Hadoop to put data in a machine and do analytics on it, and data level encryption is one way to reduce the risk in the environment by de-fanging data.
“There is more of a demand for more secure environments where there are hugely distributed systems where you cannot lock down a 1,000 machines, as you have a wide variety of data and you need to assume it will leak in some shape or form.
“People are almost breaching their own data as cloud has become the default way that people think about computation at this point, as cloud involves taking a bunch of data and uploading it to a machine that you do not completely control and you need a model that enables you to secure that kind of thing as cloud is not going away, it is getting to the point where managing your own machines is a bit atypical and that trend will continue. For some data we are dealing with – payment data, or personally identifiable data, you need some sort of leash or some encryption mechanism so a breach doesn’t get you in hot water.”
So that is the current offering, and along with web browser security being given the push by various ends of the security industry, including Google and the EFF, what causes people to take a continued look at encryption? Spies said that for people to spend money on encryption, there has to be some sort of regulatory driver, as only those companies who are forward-looking enough to know that breaches will get worse will deploy encryption as a core strategy as sort of a protective measure.
“The majority of people have a list of priorities and requirements and industry standards apply here, as if you accept credit cards you have to comply,” he said.
“Another driver is the likes of Google want encryption everywhere as a strategy for Government attacks and mass surveillance. There are all kinds of reasons for it, as it is driven by standards and compliance and a few people willing to be proactive and say I will do more than my auditors require.”
In the future, Spies identified the “holy grail of homomorphic encryption” as remaining an edge case until more research is done, while he predicted that we will see order-preserving in systems in the next 3-5 years.
He said: “Homomorphic allows you to run arbitary programs over it, as homomorphic is meant to be about running a program over the data. Homomorphic says encrypt the data and it gives you a program to output an average and encrypts that, and then a key to decrypt that. So it is working in a completely opaque way.
“Think of format-preserving encryption as the first level, as you encrypt it but leave enough clear to deal with it, and more people think about moving up the ladder so more operations can be done.
“So at the next level you will see more people talking about order-preserving encryption, which is dealing with a database and sort the values so they come out in the right order, but in an unreadable format.”
It is a classic form of disguise, and it is good to see it moving on at such a rapid rate. Let’s just hope it works and remains untapped by those who want to listen.
Terence Spies, CTO of Voltage Security, was talking to Dan Raywood