Innovations in Data Security

The torrent of data breaches is overwhelming people. It’s now a common assumption that data will be breached, and that nothing can be done to prevent it. There is a gnawing sense of truth to this idea, but it’s defeatist and impractical. New, better data security countermeasures are clearly needed. A number of vendors are rising to the occasion.

Thales: HSM in the Cloud

Thales has introduced an encryption solution that revisits one of the major assumptions underpinning most encryption practices. The €3 billion company, whose products are found in many digital identity products and payment cards, is now offering a product whose very name is a paradox: the cloud-based Hardware Security Module (HSM).

By definition, an HSM is supposed to be a free-standing piece of physical hardware. Thales now provides HSM functionality, but in an on-demand, cloud-based solution. Called SafeNet Data Protection On Demand, the solution is a cloud platform that provides HSM and key management services through a simple online marketplace.

“People want to move master keys onto a hardware HSM,” explained Gary Marsden, Senior director, Data Protection at Thales. “But, for many companies, this has proved to be too expensive. HSMs with high availability are complicated to manage. They take expertise and focus that a lot of IT organizations can’t bring to bear.”

“People want to move master keys onto a hardware HSM,” explained Gary Marsden, Senior director, Data Protection at Thales. “But, for many companies, this has proved to be too expensive. HSMs with high availability are complicated to manage. They take expertise and focus that a lot of IT organizations can’t bring to bear. Data Protection On Demand takes the complexity and high expenses out of the equation. You don’t have to deploy an HSM. You get centralized control over encryption in a multi-cloud environment. You can migrate your key management from one cloud to another.”

It’s definitely time to consider these new options. As Marsden pointed out, only 4% of data that’s been breached is encrypted. “If you can simplify data protection, you can defend the other 96% of your data,” he said.

Detail from the Enigma machine on display at the International Spy Museum

Baffle: Going Beyond Encrypting the Container

Baffle is attacking the data protection problem from a different direction. For Harold Byun, Baffle’s VP of Products, today’s challenges revolve around gaps in data protection that are easily exploited. “TDE is deficient,” he declared. “You’re protecting the data container, but there are so many ways for an attacker to still get at that data, it’s not a strong countermeasure any longer.”

He’s not alone in this perception. Critics of Transparent Database Encryption (TDE) are increasingly expressing concerns that it doesn’t protect data at the field level. This is a problem Baffle solves. Baffle also provides ways to keep data encrypted as it moves between various cloud repositories. “Everything is hybrid,” Byun explained. “You’ve got data on premises and in many different cloud environments at the same time. Your data protection has to keep up with this or you’re going to exposed to serious risk of breach.” For example, he cited the risk of ephemeral, serverless functions in the cloud that can access data—an attack vector that can be extremely difficult to detect. Baffle mitigates this risk.

“TDE is deficient,” he declared. “You’re protecting the data container, but there are so many ways for an attacker to still get at that data, it’s not a strong countermeasure any longer.”

Baffle, which has closed its series A round of venture funding, has responded to this need with what is essentially an enterprise-wide data protection standard. Everyone in an organization subscribes to the standard as a service. Baffle can track access to the service. In architectural terms, this solution is able to detect compromise of data assets that occur through the application tier, which is another point of vulnerability. Baffle also enables data protection in-memory.

Duality Technologies: Enabling Safe Data Collaboration

Duality Technologies is working on yet another side of data breach vulnerability. For Dr. Alon Kaufman, the company’s Co-founder and CEO, there are risks inherent in the practice of collaborating with data. “Companies today cannot function in isolation when it comes to use of data,” he explained. Kaufman cited the hypothetical example of a healthcare provider needing analysis of a patient’s genomic data in order to make a diagnosis. “They need to share their patient’s data with a third party. But, how can they protect that data in the process?”

“Companies today cannot function in isolation when it comes to use of data,” he explained. Kaufman cited the hypothetical example of a healthcare provider needing analysis of a patient’s genomic data in order to make a diagnosis. “They need to share their patient’s data with a third party. But, how can they protect that data in the process?”

Duality lets organizations collaborate on data science without sharing the actual data or data models. They accomplish this with homomorphic encryption, which allows data to remain encrypted across the entire sharing and analysis cycle. “Let’s say you have a bank that wants to send customer data to a credit analysis firm,” Kaufman said. “The bank needs the analysis, but is prohibited by law from letting sensitive customer data outside the entity. At the same time, the credit rating firm doesn’t want to share its proprietary model. Both sides will need to agree on an encryption method.”

To make the arrangement work, both the bank and the credit agency can install Duality. They then access an API to share the encrypted data. With this architecture, the two companies can collaborate with data. Each is protected. This approach requires an agreement on the schema, however.

“This is about business and compliance as much as it concerns data security,” Kaufman noted. “Companies are expected to monetize their data, but not let it get breached. It’s a paradox, but one we can solve.” Attention from healthcare and financial services companies suggests that Duality is on the right track with this issue.

Photo Credit: derekbruff Flickr via Compfight cc