Is your data encrypted? You probably looked at the little lock icon in your browser to make sure your session was using TLS when I asked. But what happens when your data is somewhere other than a browser? Are you using secured communications for other mediums? What about when your data is just sitting on a server somewhere? We may encrypt our important data with consumer-level tools but can you be sure that your data is being saved properly in the cloud?
Unencrypted data is a huge problem in the cloud. According to recent studies, less than 10% of cloud providers are encrypting data at-rest where it’s the most vulnerable. The reasons vary, but they generally come down to two big factors. The first is that encryption reduces the ability to search through data. If you have to unscramble it before you can look at it you’re wasting valuable milliseconds to retrieve data. If you don’t think seconds matter you must have grown up in a world with dial-up Internet. Most modern consumers are not going to wait seconds for their data to be decrypted.
The second big issue with encryption is that it’s difficult to implement properly. It’s difficult on purpose but that means that most of the time users don’t even bother to try to make it work correctly. Instead, they just go to StackOverflow and search for “encryption” and paste in code snippets until something works. I don’t even have to begin to describe how and why that’s a horrible idea.
When I think about the problems that encryption can solve, I always go back to the iPhone Activation Lock. Introduced in 2014, Apple used their enhanced security with TouchID to enable phones to be locked to a particular user. In the old days, someone could find the device and just reload it to get a new phone. Your data would be gone. Now, Activation Lock requires the iCloud account info to unlock. And even a couple of months after the introduction, iPhone thefts decreased by almost 50% worldwide.1 That’s a huge win for having a device that’s encrypted all the time and locked. It basically renders the device unusable without the right key.
That’s how data-at-rest should work. Instead of us leaving data lying around and hoping that no one steals it, we should take the opposite approach and encrypt it all. Then, even if some enterprising thief makes off with our crown jewels they can’t do anything about it because they’ve stolen a bunch of junk. But given the challenges of encryption as listed above, how do we make it all work with a minimum of effort and make it all searchable at the same time?
A Flavor For Security
I talked to Ed Yu, CEO and Founder of StrongSalt, earlier this month about this very problem. He looks at the encryption problem as an issue of the right tools being used ineffectively. If you use encryption the way it was intended, you make your apps harder to create and harder to use. And that means users will take the easier approach to get what they want with less fuss.
So how is StrongSalt solving this problem? During the week of AWS re:Invent they announced a new Open Privacy API. The idea is to offload the hard work of doing encryption to StrongSalt and give you the benefits of having your data safe and sound. Because it’s an API you can just build in calls to StrongSalt and ensure your data is encrypted at every step of the process. And StrongSalt uses standard algorithms to fit any need. No more guessing whether or not a proprietary algorithm meets your compliance needs.
StrongSalt’s Open Privacy API solves the ease-of-use problem. It also solves the issues around searchable encryption. When I talked to Ed about this, he told me that most current solutions, like homomorphic encryption, are overly complicated and don’t address the real issues. StrongSalt, as an API, gives you the ability to decrypted data streams as they are searched. But the data is never decrypted in place. That means there can’t be any accidental issues with developers leaving data lakes readable to the world and creating issues. StrongSalt ensures that only proper API calls can read data. That means it’s secure wherever it sits. And that security means the data is also completely useless to intruders looking to steal it.
StrongSalt is already positioning the Open Privacy API to address a huge elephant in the room in 2020: the new California Consumer Privacy Act (CCPA). CCPA is set to roll out on January 1 and it’s going to empower consumers to fight back against data leaks. Class-action lawsuits can be filed if companies are found liable for data leakage. And those dollar amounts are going to be huge. The only way to get out of having to pay those huge fines is if companies can prove the data is secure or worthless to the people looking to steal it. That’s where StrongSalt comes into play. By proving the data is safe you can ensure that, as a business, you’ve done everything you can to keep your customer data out of the hands of people that would use it for nefarious purposes.
StrongSalt’s Open Privacy API is freely available on their website at https://www.strongsalt.com/. In the first quarter of 2020, they are planning on offering it on the AWS Marketplace to make it easy to build into your existing cloud infrastructure. They also offer a host of other encryption-as-a-service offerings with their paid platform. You should definitely check out what they have to offer if you want to be sure you’re meeting your requirements under CCPA. I’d suggest checking it out during the holiday lull before you get a nasty letter in the mail from a law firm next year.
- https://techcrunch.com/2015/02/11/apples-activation-lock-leads-to-big-drops-in-smartphone-theft-worldwide/ ??