Enveil's New "ZeroReveal" Platform Enables Homomorphic Encryption to Secure Data in Use
Sensitive data exposure is classified by OWASP as the third most critical web application vulnerability. Encryption is the primary solution. But encryption is only generally available for data at rest and data in transit -- leaving the third state of data (data in use) potentially exposed. Bank card details, for example, can be stored encrypted and can be transmitted encrypted -- but they currently must be decrypted and exposed at the point of processing.
Finding some way for data to remain encrypted and secure even during processing is considered the holy grail of encryption. One method, homomorphic encryption, was first mooted in 1978; but initially without any clear proof that it was possible. Today, start-up firm Enveil has launched the first practical and scalable commercial homomorphic encryption platform, ZeroReveal.
The core technology originates from within the NSA. Enveil's CEO and founder, mathematician Ellison Anne Williams, worked on the project within the NSA as a senior researcher for 12 years. When she left in 2015 she took the technology with her, exclusively, and founded Enveil in 2016. Since then, Enveil has expanded and matured the core technology to the point of launching a commercial product.
"Continued reports of chip flaws [eg, Spectre and Meltdown] and data breaches in recent months make it clear that encrypting data at rest and in transit isn't good enough in today's volatile security environment. Organizations must eliminate the data in use security gap and do so in a way that won't negate investments in existing systems and protocols," explains Williams. "We allow you to securely use data where it is and as it is today, delivering nation-state level security -- no system overhaul required."
When people use data, it is typically undertaken by running a search or analytic over the data. Enveil concentrates on the security posture of that search or analytic as it is being performed.
"We have two-party form factor," Williams told SecurityWeek. "From a technology standpoint, it means that we can take a search or analytic that folks will want to perform over data, and we can encrypt that, and then we can run that encrypted search over massive amounts of data anywhere, without ever decrypting anything. We never decrypt the search itself, and if the underlying data also happens to be encrypted, we don't have to decrypt that either. We accomplish this through the ZeroReveal Compute Fabric where we can encrypt the search, send that out to the data location, and that can be processed there without ever being decrypted."
This is made possible by the magic math known as homomorphic encryption. "It's been around for a while," continued Williams, "and a lot of work has gone into it. It allows you to perform operations on encrypted data as if it were unencrypted data. This is powered by the mathematical nature of homomorphic encryption. Until now it has remained computationally intensive and not practical. Our major breakthrough has been moving this holy grail from the realm of the theoretical to the realm of the practical."
ZeroReveal solves very specific use cases. "How do I go and encrypt my most sensitive data and put it securely in the cloud," said Williams, "but yet still be able to process it in its encrypted state in the cloud platform? It has become practical because of advances in the way that we use the homomorphic encryption rather than simply massive increases in compute power."
One of ZeroReveal's great strengths is that it works on existing encrypted data -- the secret resides in the homomorphically encrypted search or analytic. "We sit above the storage technology," she said. "People don't have to change the mechanism of storage or how they currently encrypt their data. This is what is new. In traditional homomorphic systems, you must have the data itself encrypted homomorphically to operate on it. We don't do that at all. It's because we're looking for bit matches rather than character matches in the underlying data. It allows us to search across any data store, encrypted or unencrypted, and encrypted with any crypto and even graphics -- it's all represented by the bit values that we search on."
The use cases are already extensive, and will only grow with the increase of big data aggregators. Consider, for example, a third-party aggregation of financial data. The very act of searching that data for specific information can highlight confidential considerations of potential M&A activity. But with the search encrypted (irrespective of whether or how the big data itself is encrypted), no outside party will know what the query was.
It would allow health organizations to anonymize and encrypt personal health data, and allow researchers to analyze the data without it ever having to be decrypted. It would allow staff to work on sensitive data from home -- or anywhere -- over the weekend without having to decrypt and copy the data to a laptop. And it clearly has huge potential to protect both data owners and data processors concerned about GDPR.
"The range of potential use cases for homomorphic encryption is vast," says Garrett Bekker, principal analyst, Information Security at 451 Research. "By focusing on the encryption-in-use space, Enveil complements data-at-rest and data-in-motion encryption to fill a gap in the overall data security landscape."
Fulton, Maryland-based Enveil was founded in 2016 by Ellison Anne Williams. It raised $4 million from investors including Bloomberg, Thomson Reuters, USAA, In-Q-Tel and DataTribe. The firm focuses solely on securing data in use, and works seamlessly with existing investments in securing data at rest and data in transit.
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
Previous Columns by Kevin Townsend: