The encryption technology that's revolutionizing secure data usage [Q&A]
Conventional encryption methods rely on the exchange of keys. This can leave them vulnerable, particularly when they're used on public cloud services.
One way around this is to use homomorphic encryption, this permits third party service providers to perform some types of operations on a user's data without needing to decrypt it.
We spoke to Ellison Anne Williams, founder and CEO of data privacy company Enveil to find out more about why this technology could be a game changer.
BN: What is homomorphic encryption?
EAW: A pillar of the increasingly important business-enabling category of Privacy Enhancing Technologies, homomorphic encryption (HE) secures Data in Use by allowing computations such as search or analytics to be performed while encrypted. In the security world, this may sound as close to magic as you'll get -- but it's not magic, it's math.
An analogy that we use to explain HE clearly is thinking of encryption as a vault protecting sensitive data. Traditional practice requires the data to be removed from the vault so that it can be used or processed. However, in doing so, the data becomes exposed and vulnerable to theft and/or misuse. Using HE, data can be used and processed without it ever having to leave the vault, ensuring that the interaction and the subsequent results remain protected.
Homomorphic encryption is often heralded as the 'holy grail' of cryptography but has, until recently, also been considered computationally impractical for use at scale. However, recent breakthroughs have made it practical for a wide range of game-changing commercial applications. HE has shown its paradigm-shifting potential by revolutionizing how and where organizations can securely and privately leverage data assets.
BN: Why is momentum growing behind Privacy Enhancing Technologies (PETs)?
EAW: Data is an essential asset for enterprises today, providing critical value when leveraged for intelligence-led decisions -- and the more access to data, the better. To fully take advantage of the benefits and positive business outcomes of increased access to relevant data and sources, organizations need to be able to securely and repeatedly search, analyze, cross-match, and derive insights from cross-department, cross-organizational, and third-party data repositories. Unfortunately, the modern business ecosystem is riddled with challenges that make sharing and collaborating with sensitive or proprietary data fraught with risk. Data localization issues, regional regulatory compliance, competitive dynamics, and data privacy and security considerations all limit the ability of organizations to capitalize on data assets.
PETs are uniquely positioned to address these challenges -- and industry has taken notice. Gartner named PETs among its Top Strategic Technology Trends for 2021 and Facebook, in the wake of heightened global privacy concerns, has declared its intention to invest in PETs. As a family of technologies that enable, enhance, and preserve privacy throughout its lifecycle, PETs allow organizations to glean key insights from data while ensuring the content of the search or analytic is never exposed, thereby preserving the privacy and security of sensitive assets. PETs are not only improving current business practices, they are making entirely new business-enabling capabilities possible.
BN: What are some common use cases for HE and PETs?
EAW: While there is a broad range of use cases, the three most common commercial applications today for PETs, and specifically HE, are monetizing secure data, reducing third-party risk, and enabling secure data sharing and collaboration.
Data monetization is increasingly becoming an integral part of the digital transformation strategy for modern enterprises. Finding new ways to leverage existing data assets can create opportunities to introduce entirely new revenue streams and business services. However, in order to monetize data resources in a secure and ethical manner, businesses need to prioritize the privacy of the customers using the new product or service, as well as the underlying data itself. For this use case, homomorphic encryption can uniquely eliminate the risk of sensitive data exposure, thereby creating monetization opportunities through which businesses can safely expand the value of existing data assets.
Another significant area of risk exposure comes via organizations’ interactions with third parties. Many organizations rely on sharing data assets among an ecosystem of external partners, vendors, and suppliers to optimize performance, enhance agility, and reduce costs. PETs are a key enabler of secure, decentralized collaboration, allowing entities to work collectively without the risk of data leaks or unintentional exposure.
Finally, PETs and HE play a key role in allowing international organizations to securely share data and collaborate across jurisdictional boundaries where regulations either prohibit such sharing altogether or organizations risk exposing new, sensitive variables that can trigger additional reporting requirements. HE enables the secure processing of data where it is and as it is today so businesses can leverage external data sources without exposing sensitive indicators. The technology also can be configured to respect existing access and verification controls established by the data's owner, ensuring that control and ownership are never compromised.
BN: Which industries are using these technologies today?
EAW: The businesses that are benefiting most from Privacy Enhancing Technologies today operate within highly regulated industries, such as the financial services sector. Banks spend hundreds of millions of dollars conducting know-your-customer (KYC) checks on new and existing customers for screening and due diligence purposes to help prevent fraud and financial crime. The challenge these institutions face is that there is no framework for privately sharing customer data across jurisdictions. The location-specific privacy regulations and compliance requirements put in place to protect consumer data often make it difficult for banks to obtain a global operating picture. As a result, they are increasingly turning to PETs to facilitate data sharing and collaborating across these varying regulatory landscapes.
Banks use homomorphic encryption to encrypt queries containing sensitive customer data in one privacy jurisdictions, and then running the encrypted query in a different jurisdiction, all while ensuring that the content of the interaction and its corresponding results are never exposed. What's more, these computations are processed in a matter of seconds, meaning that banks can benefit from this new data-driven customer intelligence at the speed of business and within existing workflows. Not only does this benefit banks by considerably reducing time and resources spent on customer screening, but it also reduces operational risk but providing data inputs that were not previously accessible in an efficient, automated way.
Photo credit: Lightspring / Shutterstock