Solving the Quandary of Encryption vs. Privacy and Compliance

This is my first dispatch from RSA, which was a month ago…  a lot has (not) happened due to the pandemic. But, better late than never, right?

One issue that came up in conversations at the conference was the quandary facing companies subject to the new California Consumer Privacy Act (CCPA) and comparable regulations aimed at ensuring data privacy for the public. The law, under its section 1798.150, imposes significant penalties on companies that allow unencrypted personal data to be exfiltrated or subject to unauthorized access.

At the same time, consumers have now won “the right to know” and “the right to say no” regarding storage of their personal data. According to Wired, “users will, as of today, be able to see what data companies have gathered about them, have that data deleted, and opt out of those companies selling it to third parties from now on.”

These are competing requirements. In order for consumers to know which of their data is being stored, the data needs to be accessible in unencrypted form. That, in turn, exposes a company to risk of breach, and, with CCPA, potentially massive fines. The company also presumably wants to use the data for its business purposes. This, too, means having access to the data in unencrypted form—which further exposes them to breach.

How can a business safely store personal consumer data while making it available for inspection under CCPA as well as for their own analytics and transaction processing needs? Leaving data unencrypted is a non-starter. That’s way too risky. But, having all data encrypted all the time creates two problems. It’s cumbersome to decrypt and re-encrypt data every time someone needs to see it. Then, the act of decrypt/process/re-encrypt creates its own risk. Hackers can target that sensitive little spot in the middle where the data is flowing through the system unencrypted.

As Seinfeld’s Newman might have put it, “Quite the conundrum…” However, as conversations at RSA revealed, solutions are emerging to address this problem. Baffle, for example, is now offering encryption at the application level using a “no code” model. Their approach enables applications to run operations on data that remains encrypted. It’s comparable to homomorphic processing, but it does not come with that technique’s overhead. With Baffle, it’s possible to conduct mathematical operations, sorting and searching on AES encrypted data without having to decrypt the underlying values—in memory, in process or at-rest.

Another vendor at RSA, Secure Channels, approached the problem via a key management process. The company developed its technologies in the media industry, so they have experience in dealing with large volumes of data that require encryption. Their solution involves randomly modulating key lengths and assigning keys to different pieces of data on a random basis. In this, Secure Channels is in fact doing the decrypt/re-encrypt cycle, but effectively masking the keys in the process. Their solution can apply a different key to every frame of a digital video, for example, so it’s very robust.

As CCPA-type rules become the norm, companies will have to deal with the quandary of keeping data encrypted while still needing to access it on a regular basis. Solutions such as these highlight how the industry responds to such challenges with innovation.