What You Should Know About Homomorphic Encryption

There is a weakness with traditional encryption techniques. What is that weakness? Also, what is homomorphic encryption, and what does mean homomorphic encryption for the security of cloud data?

On the heels of the General Data Protection Regulation (GDPR) and with California Consumer Privacy Act (CCPA) looming, keeping data private and secure is more critical than ever before.  Fines for violations of regulatory compliance such as GDPR can cost your business dearly.

Encryption is one of the tried and true security mechanisms for keeping data secure and private both on-premises and in the cloud.  It allows masking data with mathematical algorithms that scramble the data so that it is unreadable without the encryption key. This makes it much more difficult for your data to fall into the wrong hands. 

The Weak Point of Traditional Data Encryption

Encryption in the form of today’s “military-grade” AES 256-bit encryption is virtually impossible to crack with current processing capabilities.  However, there is a weak point that must be considered. You have to decrypt your data to make it useable or work with it.  

To illustrate, think of the large formidable “iron doors” that guarded ancient cities.  Entering the city, even for those with a legitimate pass to get in, means the doors have to be opened.  Even if it is for a relatively short period of time, everyone and everything inside is vulnerable to attack for the time period the doors are open.  As it turns out, in terms of security, this becomes the Achilles Heel for securing your data with traditional encryption technologies.

An example of encrypted text

In much the same way, even with formidable encryption protecting data, if you have to decrypt the data (open the doors) for a time to access it, it will be vulnerable to an attacker.  What actions require that you decrypt your data secured with traditional encryption?

In most systems today using traditional encryption, even simple actions like editing your Excel spreadsheet, Word document, and returning rows from a database, all require the data to be decrypted before it can be consumed, edited, modified, and so on. This begs the question – is there a better type of encryption to secure your data that does not require decryption and potential exposure to an attacker?

Let’s consider the next generation of encryption technology called Homomorphic Encryption. What is it?  How does it work?

What is Homomorphic Encryption?

What is homomorphic encryption?  You can think of it as next-generation encryption technology.  It sets out to solve many of the security concerns associated with traditional encryption such as the requirement to decrypt the data for it to be consumed.  

Researchers and cryptography experts have long been able to produce partial homomorphic encryption solutions for various systems.  However, it wasn’t until 2009 that Craig Gentry, a researcher at IBM, produced and demonstrated a fully homomorphic encryption scheme that the technology was considered a viable option.  What are the advantages of homomorphic encryption?

Homomorphic encryption is a cryptographic solution that allows analytical computations to be performed on data while it remains encrypted.  

As an example, think of a search query on a database that is encrypted the entire way through with homomorphic encryption.  This means the database query would need to accept an encrypted value for the query, query the encrypted data in the database, and be able to process a return from the database that is encrypted.  

There are many different types of real-world use cases that can be called to mind that can greatly benefit from homomorphic encryption.  A case in point is health care data including medical records or medical data. When you share medical information with a third party, you typically share private and sensitive information about yourself including health characteristics, conditions, medications, and various other health information.

With the homomorphic encryption scheme, since your data remains encrypted, sensitive information such as your encrypted medical information can be safely shared with a third party.  The third-party health provider or entity can then perform queries or computations on your data protected with homomorphic encryption without knowing anything about you. Since the data remains encrypted, the contents including your identity and personal information, and statistics are protected.  There is another area where homomorphic encryption will be extremely powerful – the cloud.

What Are the Security Risks of Cloud Computing?

Outside of healthcare, storing data in public cloud environments is another area where homomorphic encryption can pay dividends in terms of cloud computing security and privacy.  When it comes to the cloud, one of the major concerns most still have with cloud computing and security is data privacy. This includes who has access to your data.  What are the specific security risks of cloud computing?

• Data leakage – unauthorized persons get access to your data
• Unauthorized sharing – an unscrupulous employee may share data intentionally with others
• Misconfigured systems – cloud data is unintentionally left accessible to the outside due to misconfigured Amazon S3 buckets or other public cloud provider storage mechanisms
• Hackers using ransomware or phishing attacks – Attackers are using various tools to take your data hostage and force payment of ransoms with the threat of data leakage.

Even those to whom you have given legitimate access to your data in the cloud can be a security vulnerability.  Third-party processors, who you may have chosen to share data within your cloud environments, now have access to that data and its contents.  

As in the example of sensitive medical information, when homomorphic encryption is used to protect your data housed in the cloud, your data remains encrypted at all times without revealing the contents of the data.  This effectively allows third-party entities, to whom you have granted permissions, to perform computational processing and analysis on your data.

Additionally, if data is always encrypted with homomorphic encryption and never sitting in an unencrypted or decrypted state, even if your data falls into the wrong hands, it will be unreadable.   

With homomorphic encryption securing your cloud data, you can safely take advantage of third-party services while at the same time having 100% confidence that the privacy of your data contents remains intact.  Homomorphic encryption provides a level of data privacy and security that is of paramount importance in this day and age of privacy concerns, data leakage, and ever-growing compliance regulations.  

What Barriers Exist to Using Homomorphic Encryption?

Since homomorphic encryption solves many of the problems that exist with traditional encryption technology, why is it not already widely used and adopted as the encryption standard at this point?  The original specification for Craig Gentry’s fully homomorphic encryption technique adds tremendous computational overhead to the process of working with data.

In other words, the performance of the solution left much to be desired, especially at scale.  Computations that would normally be completed instantaneously with unencrypted data may take exponentially longer with the fully homomorphic encryption introduced by Gentry.  

As a comparison of performance, a Google search encrypted with Gentry’s fully homomorphic encryption specification in its original form would take around one trillion times longer than without it.  However, there has been much progress made with the fully homomorphic algorithms since the original draft in 2009.  After much progress has been made since 2009 however, the same Google query would take around one million times longer. 

While there are still many refinements and tweaks that need to be made with homomorphic encryption, it certainly shows promise as the next stage of encryption technology to fully protect data across all platforms and use cases.  

Transitioning to Homomorphic Encryption

Let’s be clear. Traditional, strong encryption standards like AES 256-bit encryption are currently the best way to protect your data from prying eyes.  Companies that are serious about security use the current encryption standards to protect their data and the data of their customers.  

This includes businesses that provide cloud services for your data.  If you use a third-party solution that works with your data, are they protecting it with encryption both in-flight and at rest? What does this mean?  Data that is encrypted in-flight is the encryption of your data as it is transmitted across the network.  At-rest encryption means your data is encrypted as it is stored on a storage device.  

Implementing encryption with in-flight and at-rest encryption helps to ensure the security of your data whether it is moving across the network or sitting on a storage device.  This is especially important with third-party solutions that process, store, or otherwise interact with your data in the cloud.

Data Encryption by SpinOne

SpinOne is both a cybersecurity and data protection company that has proven to be on the cutting-edge of security technology in the cloud. It is an example of a company that is currently making use of the best encryption technology by today’s standards as well as looking on the horizon at those technologies like homomorphic encryption that can take the security of your data to the next level.

SpinOne’s cloud infrastructure is secured using world-class security standards that revolve around strong encryption processes both from a customer data standpoint and an administration standpoint. The following are just a few details of SpinOne’s security policies regarding the encryption mechanisms as well as general security processes involving customer data:

• SpinOne encrypts users’ data in the cloud using the highest levels of encryption for in-transit and at-rest data.  
• We use the same encryption mechanisms are used in Amazon EC2 and Amazon S3.  
• Using AWS, SpinOne employees utilize token and key-based authentication to access their servers
• Administrators utilize a command-line shell interface, SSH keys, or sudo to enable additional security and privilege escalation
• Making use of OAuth 2.0, we do not store or access customer passwords

Encrypting both in-flight and at-rest data

Importantly, as noted, SpinOne encrypts your data both in-flight and at rest using military-grade AES 256-bit encryption. This means the backup data that SpinOne stores for your business are protected from malicious threat actors who may try to compromise your data stored in backups.  This is true whether it is moving across cloud networks or stored in one of the many locations SpinOne offers for storing your backup data.  

SpinOne utilizes other standards and policies as a company that protects your data.  The architecture of SpinOne is designed not to allow SpinOne employees to access user data.  SpinOne employees cannot access the data contained in customer accounts. Customer data cannot be accessible at any stage by any third party, including the staff of SpinOne. There are strict rules and access control levels that protect users’ information from unauthorized access.

As homomorphic encryption matures and the performance of the solution is optimized to perform well at scale, there is no doubt it will be at the heart of the encryption technologies of the future, including those used by SpinOne and other security solutions to secure customer data and protect the privacy of the data contained in encrypted backups.  

Concluding Thoughts

Encryption is an integral part of any effective data security and privacy solution on-premises or in the cloud.  When securing your business data, encrypting your data both in-flight and at rest is essential to preventing data leaks and stealing of data by a malicious attacker.  

The downside of today’s traditional encryption standards is that to work with your data, it must be decrypted before it can be used.  This decryption of your data provides an opportunity for it to be compromised. Homomorphic encryption is a next-generation encryption standard that will effectively allow data analytics and processing to be carried out on encrypted data, without the need for it to be decrypted first.  

SpinOne is an example of a company that is both concerned about the security of customer data as well as making use of strict security standards to protect your data privacy.  This is evident by their current security and privacy policies. As homomorphic encryption continues to mature and become more efficient, it will no doubt be included among the technologies used by SpinOne and others to secure your data. 

Frequently Asked Questions