If we were to participate in a Socrates seminar and deliberate on the importance of securing data, in unison, the response would be: Encryption, the “holy grail” for data security! Data is at the core of all businesses and the most valuable asset for any organization. Reams of data need to be managed, processed and analyzed involving multiple parties for marketing and research purposes. Data is sensitive and has chances of being abused by malicious attackers.
The sheer volume of data that needs to be secured considering factors like consumer privacy, data governance and integration of technologies, is a Herculean task.
Increasing data complexity and the adoption of technologies like AI has fueled the growth of privacy-enhancing technologies (PET) to secure data.
A well-mapped-out PET implementation is expected to minimize the window of exposure and enable secured intelligent data usage.
To get a deeper insight on the importance of PET and its adoption trends, Minu Sirsalewala, Editorial Consultant, CISO MAG, interacted with Dr. Ellison Anne Williams, the Founder and CEO of Enveil. Dr. Williams discusses the pioneering Data Privacy Enhancing Technology protecting data in use.
Recognized as an SC Media Reboot Leadership Innovator Award winner and a Woman to Watch in Security, Dr. Williams founded the startup in 2016 to protect sensitive data while it’s being used or processed. She is also a renowned mentor, and privacy and security thought leader.
Building on more than a decade of experience leading avant-garde efforts in the areas of large-scale analytics, information security, and computer network exploitation, powered by homomorphic encryption, Enveil’s solutions like ZeroReveal enable previously impossible business functionalities for intelligence-led decision making.
Dr. Williams leverages her deep technical background and passion for evangelizing the impact of disruptive technologies to cultivate Enveil’s capabilities into category-defining solutions that enable secure search, analytics, sharing, and collaboration.
The need for Privacy Enhancing Technologies (PET) has been more compelling than ever today. With increased incidents of surveillance through spyware like Pegasus and ransomware groups like REvil targeting small and medium businesses, what are the technologies that can ensure privacy to consumers and businesses? How can PET minimize personal data use, maximize data security, and empower individuals?
One of the most interesting aspects of Privacy Enhancing Technologies, in general, is their broad applicability. While they are fundamentally a family of technologies that enable, preserve, and enhance the privacy of data, the range of ways in which they can be applied is broad — use cases range from protecting sensitive assets during processing to enabling secure access to third-party datasets to mitigating insider threat risk. Data is the backbone of the digital economy and an organizational asset that impacts teams across the organization. PETs can help security teams protect sensitive assets while still ensuring the data remains usable.
PET has been around as a technology, what is the adoption curve and where does it stand today? What has been the game-changer?
While PETs have long been the subject of research, the increased attention and activity we see now is the result of both market factors and technology breakthroughs. The digital economy has brought data to the forefront, and we’ve also seen a shift in the privacy landscape driven by both global regulations and consumer demand. From a technology perspective, we’re seeing technologies that once were computationally impractical now being implemented at scale. For example, homomorphic encryption, a pillar of the PETs category that allows computations to be performed in ciphertext as though it were plaintext, once required days to perform even the most basic functions. Now those same operations can be done in seconds, opening the door to a number of use cases across verticals.
What are your thoughts on how PET is empowering businesses across geographies and industry verticals?
One of the best use cases for PETs we’ve seen emerge recently is around the category’s ability to help organizations securely and privately share data across jurisdictions or internal/external data silos. While regulations increasingly limit or block such actions completely, PETs like homomorphic encryption (HE) can overcome these challenges by allowing operations (searches or analytics) to be performed without exposing the interaction with the data. HE allows entities to securely collaborate in a decentralized manner without replicating or moving data between jurisdictions, all while prioritizing data privacy. The outcomes are a significant savings of resources and time, as well as a reduction in operational risk relating to the possible mishandling of sensitive or regulated data.
With sensitive data being exposed to open and unsecured networks, how can organizations adopt PET to create a business value and minimize risk?
The emergence of new and varied attack surfaces is driving more organizations toward Zero Trust strategies, which are designed under the assumption that systems are compromised. Encryption plays a key role with this architecture, which includes looking beyond at-rest or in-transit encryption to also protect data while it’s being used or processed. Privacy Enhancing Technologies like homomorphic encryption play a key role in protecting this often-overlooked security gap.
How can PET ensure security for the data life cycle — right from data creation to data in transit, to data processing? Where are the challenges?
PETs uniquely protect data during processing or Data in Use. There have long been solutions geared at protecting Data at Rest on the file system or Data in Transit as it moves through the network, but organizations often overlook the need for protecting it while it’s being used, frankly, because it’s a hard problem to solve. That’s why PETs are such a game-changer — they allow us to securely and privately leverage data in ways that were not previously possible.
Homomorphic encryption, Multiparty computation, Zero-knowledge proofs and Trusted execution environments are some common PETs. Which of these has seen a significant change (evolved) and adoption? Could you share some market figures if available?
We have seen a significant uptick in both interest and activity related to PETs in recent months. Analysts at Gartner named privacy-enhancing computation as one of the Top Strategic Technology Trends for 2021 and further predict that by 2025, 50% of large organizations will adopt privacy-enhancing computation for processing data in untrusted environments and multiparty data analytics use cases (Gartner “Top Strategic Technology Trends for 2021,” Oct. 2020). Anecdotally, I can speak to what we’re seeing in the homomorphic encryption space since that is the technology the majority of our products leverage. When I founded Enveil nearly five years ago, references to HE would evoke blank stares, but I am pleased to say that is no longer the case. We’re seeing a broad recognition and a real excitement around HE’s power and applicability, the momentum that supports the growing activity we see in the commercial and government market.
What about data masking techniques as compared to the traditional PET-like cryptographic algorithms?
While it’s tough to generalize, data masking techniques and cryptography serve different purposes. While I thoroughly believe in the power of encryption, I am not a person who advocates for encrypting everything. In most cases, that approach is just not practical. Organizations are better served by understanding what information or interactions are truly sensitive and focusing their efforts on ensuring that information is secure throughout its lifecycle — at rest, in transit, and in use. Data masking can be an effective way to fill in some of the gaps, but it will never offer the same level of protection as encryption.
Now that companies can securely access data sets, it broadens the application possibilities. Which are some areas where we see increased PET application? (For example, financial transactions; health care-clinical data; data transfer with multiple entities and parties)
Here are several examples of practical business use cases from an article I wrote on the topic last year, which continues to apply in current times:
- Secure Data Monetization — Organizations looking for new revenue streams are increasingly examining how they might leverage existing data assets; however, the data can only be securely and ethically monetized if the privacy of both the customers of the monetization service and the underlying data itself is respected. Because HE uniquely allows data to be processed in a privacy-preserving manner without risk of exposure, it opens the door for such secure monetization to occur. This allows existing sensitive or regulated data assets to be used in ways that may have previously been determined as too risky to pursue.
- Third-Party Risk — Third parties can present the greatest risk of exposure for both data security and associated regulatory compliance. To use and share data with an ecosystem of third parties to accelerate performance, enhance agility and realize cost savings, the ability to effectively share data assets with these third-party collaborators is critical. Homomorphic encryption allows this collaboration to occur in a secure, decentralized manner while protecting against the risk of data breaches, regulatory penalties or brand/reputational damage.
- Secure Data Sharing and Collaboration — Homomorphic encryption enables organizations to securely collaborate across organizational or jurisdictional boundaries without introducing new sensitive variables into the organization’s data holdings. This is important because exposure to these indicators could trigger additional reporting requirements or expose competitive advantage. By protecting data while it’s being processed, HE allows these organizations to securely leverage external data assets in a decentralized manner without exposing sensitive indicators. The technology also can be configured to allow them to continue respecting the access and verification controls established by the data’s owner.
How are data protection laws such as GDPR and CCPA influencing the importance of PET implementation?
At its core, PETs are a family of technologies that enable, enhance, and preserve the privacy of data throughout its lifecycle. Beyond locking down the data, some of these technologies allow data assets to be securely and privately used, overcoming the very regulatory barriers that have in many ways spurred a renewed interest in their usage. Organizations that have seen business functionalities inhibited by the surge in privacy regulations see PETs as a way to extract critical insights without the need to move or replicate data, which is often not feasible. PETs can also allow organizations to pursue data sharing and collaboration practices while remaining in compliance.
What are some technology business drivers and strategies that are affecting or influencing innovation in the security realm?
While there were many challenges associated with the pandemic, it did cause us to take a second look at the security, access, and usability of our organizational data assets — which I think is a good thing. Technologies that may have previously been viewed as “nice to have” started to look more like necessities. The need for remote access caused us to rethink the way things have always been done, and in many cases, the technology was ready to provide a solution. As the world starts to look more normal in the months ahead, I hope we can keep that drive to innovate.
About the Interviewer
Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.