In the history of technology, there may be a broad assumption that encryption and data security have been in lockstep with the internet boom of the 80s and 90s.
However, in chatting with Karim Eldefrawy, co-founder and CTO of Confidencial, he shares that in the early days, encryption was used by the military for secret government communication.
In contrast, the first step towards what we call today the Internet was somewhat of an experiment (denoted as ARPANET) under a project by the Advanced Research Project Agency (ARPA). The participants were trusted research and academic partners including SRI International, UCLA, UCSB, and the University of Utah. The spirit of the internet in its infancy was one of trust and an openness to free-flowing ideas.
Karim discloses, “I think the dirty secret is that the internet as initially designed was never intended to be the global communication infrastructure used for e-commerce.”
Hindsight is 20/20. The creators and early adopters of the Internet did not foresee how successful and robust it would be. As a result, it was not built from the ground up to be secure and consider the privacy of participants.
Astonishingly, urgency around data security has not had its watershed moment yet. “Unfortunately, we're still at the point where security is an afterthought,” says Karim.
Karim admits, “Security is hard. One of the best tools in the arsenal of the security community is cryptography and it is a difficult mathematical subject. But that does not mean that once you figure out the mathematics and exact schemes and algorithms, its use must also be as difficult.”
In the early days of the Internet and the World Wide Web, the way data was stored gave a false sense of security. Much of what we saw was a physical “safety perimeter” for data protection. Typically, security infrastructure was stored on company grounds. Companies installed walls around their data, firewalls, intrusion detection systems, and VPNs.
It seemed more straightforward to understand where and how the data was being kept and protected.
Karim says that's long gone, spurred by the move to the cloud decades ago.
[But], “to be honest, even back then, it has never really worked effectively, attacks still got around these measures. And the reality is the cloud is here to stay.”
Nowadays, almost all aspects of our lives are stored in the cloud, and the threat level grows with it.
“People have no idea what mechanisms are in the back end and what data is being replicated where, and what it is used for,” says Karim. “I think the only way to win this game is for the data to be protected by default from the moment it is generated.”
That means building the protection inside the documents themselves, and Confidencial does this with cryptographically enforced access control. “While it is prudent to secure data when it is in transit and at rest in your infrastructure,” says Karim, “what happens once the data is transmitted and stored somewhere on the other side, even if via in-transit secure protocol? There’s also a growing need to protect data in use, or at least apply principles of least privilege to data in use so that not all of it is always revealed.”
Confidencial applies its “always-on” layer of cryptographic protection that will travel with data wherever it is.
The technology only decrypts information to a minimum number of people (or machines) to have the principle of least privilege upon view, or upon use.
In addition, there's a new set of privacy-enhancing technologies to protect data in use. Karim explains, “I think ultimately, we have to figure out how to blend those two, but that is going to take some years, but at least we can start today.”
Our team is working hard to break some outdated myths about the difficulty of effectively applying data-centric security through the more prevalent use of cryptographic techniques like encryption, digital signatures, threshold cryptography for protecting keys, and secure and privacy-preserving computation.
“Our mission at Confidencial, as part of the larger cybersecurity and cryptography communities, is to dispel myths around the difficulty of overcoming technical, performance, and usability barriers facing the widespread use of encryption for various enterprise data. In my opinion, proper use of cryptography is the only effective (and mathematically sound) way to properly protect and trace enterprise data usage inside and outside its infrastructure. And if, in the next decades, we don’t improve this situation, I think we kind of failed as a community. I believe we can eventually live in a world where this misconception is dispelled” says Karim.
Learn more about automatically protecting your data by booking a call.
Comments