Security and Privacy Through Pervasive Compartmentalization?
Protecting information by compartmentalizing it and limiting access to those with a need to know has long been an important security practice. The logic behind it is sound. If one compartment is breached because a user's credentials were stolen or an insider decides to steal the information, every other compartment is still protected. Although today's enterprises try to protect access to information, the fact is the products they use at the data layer are letting them down. The data breaches constantly in the news are evidence of that. For instance, databases are one-stop shops for hackers because they have to hold data in its vulnerable form to be able to index it and operate on it. A hacker or insider only has to breach the server, exfiltrate the data, and be gone. This is true even if lower levels of the IT stack provide encryption at rest and in transport. The data layer, where data spends 99.9% of its life, is incredibly vulnerable today.
So why isn't information always encrypted in the data layer and why isn't it compartmentalized? There are a couple of reasons. The first is that encrypted data is useless until you decrypt it. It is like putting the information in a vault, never to be seen again. If you want to find information in that vault, you have to go into the vault to take a look at it. The problem becomes worse if you have lots of data in that vault. If you couldn't solve this search problem, you would have no choice but to always leave the vault door open and the information nicely filed so when you need something, it is easy to find. Otherwise, your business won't operate very efficiently. Clearly, this leaves you incredibly vulnerable to attack. This is exactly what the enterprise data layer looks like today, although now we are also putting our vaults in the cloud and hoping we haven't left the vault door open. The second problem to pervasive compartmentalization is that lots of encryption keys are too hard to manage. What key even goes with a given file or record? Today, we have a hard time managing a few passwords. Imagine how hard it is to manage many thousands of encryption keys.
What if you could transform your vault into thousands of virtual safe deposit boxes that had zero knowledge of their contents? What if only people with a need to know could access any virtual safe deposit box and your trust in that access control was based on cryptography? Imagine if it was easy to efficiently find what you needed within those virtual safe deposit boxes without having to open the boxes and make everything in the boxes vulnerable? If those things were possible, you would have an incredibly efficient and highly secure digital business. You would be establishing and maintaining an unprecedented level of digital trust with your customers.
The good news is that searchable encryption is the enabling technology for pervasive compartmentalization. It solves the problem of efficiently indexing the encrypted information in the vault so that it can easily be found without making the information in the vault vulnerable. The products in use today within the enteprise data layer can't do this. Searchable encryption enables application-layer encryption, which is the key to enabling pervasive compartmentalization. If the data layer had to manage compartmentalization, it means it could not be zero knowledge and it would have the same security problems it has today. Application-layer encryption allows the applications to choose the compartment information belongs in and which encryption keys to use to encrypt it. This also allows for effective key management with many thousands of keys. Clearly, applications become the target for attack because attacking a zero knowledge data layer is useless. Pervasive compartmentalization is the very thing we need to protect our information when an application is breached! Guess what? Applications can also be compartmented! You can even use software-defined networking and micro-segmentation to do it at the network layer. You can even compartmentalize key management! There are many things we can do to improve the security of the application layer if we can depend on a zero knowledge trust layer.
The Black Forest Digital Trust Platform delivers pervasive compartmentalization to the enterprise by transforming the enterprise data layer into a zero knowledge trust layer. High performance searchable encryption is the answer and since it is possible, its adoption is inevitable. Please visit us at www.craxel.com.