Searchable Encryption has perpetually remained a perplexity, an incongruity, an unachievable aspiration cherished by cybersecurity experts universally.
Corporations are cognizant of the imperative to encrypt their most prized, confidential data to forestall data piracy and intrusions. They also comprehend that organizational data is meant to be utilized. It should be explored, inspected, and altered to sustain business operations. Unfortunately, our Network and Data Security Technicians were educated for ages that data couldn’t be searched or altered while under encryption.
The most they accomplished was surrounding that plaintext, unencrypted data with an array of intricate hardware, software, regulations, controls, and governance. And what has been the outcome so far? Just scrutinize the incidents at T-Mobile, United Healthcare, Uber, Verizon, Kaiser Foundation Health Plan, Bank of America, Prudential… and the roster continues. All the information filched in those breaches remained unencrypted in order to facilitate day-to-day activities.
It is incontrovertible that the current methodology of safeguarding that data is ineffective. Hence, it is paramount that we innovate our thinking and methodology. It is vital to encrypt all data at rest, in transit, and additionally WHILE IN USE. So, how do we adequately encrypt data that necessitates use?
Overcoming the Encryption Dilemma
As mentioned earlier, it is widely acknowledged that most data isn’t being encrypted. Just evaluate the extensively documented, incessant escalation in cybercrime activities. In essence, every data breach and ransom incident display a conspicuous similarity—each target upholds millions of private, sensitive, and classified records in an unencrypted state. Vast data troves, systematically cataloged, formatted, and unencrypted as effortless to comprehend plaintext merely to serve operational purposes. This predicament falls within the realm of “Acceptable Risk”.
It is frequently perceived that if an entity practices good cyber hygiene, it is encrypting data at rest (stored, archived, or backed up) and in motion (e.g., email encryption, or transferring data from one locale to another). Numerous individuals may reckon that this suffices—or perhaps that is the zenith they can attain. All things considered, current compliance and governance organizations solely emphasize on encryption at rest and in motion, primarily addressing database encryption.
In reality, most compliance regulations lack a substantial definition of what would constitute robust database encryption. Unfortunately, for many, the prevailing mindset remains ‘if compliance doesn’t tackle it, then it cannot be that significant, correct?’
Lets dissect this briefly. Why don’t we encrypt data? Encryption is known to be intricate, costly, and arduous to manage.
Considering the conventional encryption of data at rest (archives and static data), these encryption resolutions commonly necessitate a comprehensive “lift and shift” of the database towards the encryption at rest solution. This process frequently demands a network designer, database manager, meticulous mapping, and time.
Once encrypted, and assuming long-string encryption like AES 256 is applied, the data stays secure until the moment it is demanded. The data will ultimately be required to sustain a business function, like customer service, sales, accounting, financial services, healthcare, auditing, or generic update activities. At that juncture, the entire requisite dataset (whether the entire database or a segment) necessitates to be decrypted and transferred to a datastore as susceptible plaintext.
This introduces another tier of complexity—the proficiency of a DBA or database practitioner, time for decryption, constructing a security fortress of intricate solutions intended to observe and “secure” the plaintext datastore. Now this fortress of intricate solutions mandates a specialized team of adepts acquainted with the functionality of each of those security tools. Integrate the need to fix and renew every single one of those security tools just to retain their efficacy, and we now realize why a colossal amount of data is compromised daily.
Once the dataset has been utilized, it is anticipated to be reinstated to its encrypted state. Hence, the cycle of complexity (and expenditure) commences anew.
Owing to this cycle of complexity, in numerous situations, this delicate data persists in a completely unencrypted, exposed state, thus being constantly accessible. 100% of threat actors affirm that unencrypted data is the cream of the crop for them to effortlessly access.
This instance concentrates on the encryption of data at rest; however, it is essential to recognize that data encrypted in transit undergoes much of the identical process—it is exclusively encrypted in transit but mandates decryption for utilization on both terminuses of the transaction.
A superior approach exists. One that transcends rudimentary encryption. A contemporary, more comprehensive database encryption strategy must encompass the encryption of vital database data in three states: at rest, in motion, and now WHILE IN USE. Searchable Encryption, also termed Encryption-in-Use, upholds that data wholly encrypted while it is still functional. Eliminating the intricacy and cost linked with supporting an outdated encrypt, decrypt, use, re-encrypt process.
Converging Technologies for Enhanced Encryption
So, why is Searchable Encryption suddenly emerging as a benchmark in safeguarding critical private, sensitive, and regulated data?
According to Gartner, “Preserving data confidentiality and ensuring data utility is a primary concern for data analytics and privacy teams handling substantial data volumes. The capacity to encrypt data, and still process it securely is hailed as the ultimate achievement in data protection.”
Previously, the concept of data-in-use encryption pivoted around the assurance of Homomorphic Encryption (HE), which notoriously exhibits sluggish performance, is exceedingly expensive, and mandates a vast amount of computing power. Nonetheless, with the adoption of Searchable Symmetric Encryption technology, we can treat “data in use” while it remains encrypted and uphold nearly real-time, millisecond query performance.
According to IDC Analyst Jennifer Glenn, “The process of digital change has enhanced the flexibility and usefulness of information for every sector of the enterprise, but it has also resulted in greater exposure. Searchable encryption presents a robust solution for maintaining the confidentiality and security of data while unlocking its potential.”
“Technologies like searchable encryption are quickly becoming essential for businesses to ensure data usability while guaranteeing its security and reliability,” added Glenn.
Established over 30 years ago, Paperclip, a company specializing in data management, has developed a solution to achieve what was once deemed the ‘ultimate goal of data protection’ – data encryption during operation. Through the utilization of patented shredding technology utilized for data storage and Searchable Symmetric Encryption, a solution was formulated that eliminates the complexities, delays, and risks associated with traditional data security and encryption methodologies.
The Encryption Solution by SAFE
Recognizing that necessity drives innovation, Paperclip, established in 1991 as a pioneer in content supply-chain management, recognized the need to bolster the security of the plethora of sensitive data entrusted to them by their clients. When examining the increasing occurrences of data breaches and ransom attacks, one fact became clear: malicious actors do not compromise or steal encrypted data.
Their focus lies on the extensive volume of unencrypted, plaintext data utilized to support critical operational functions. This constitutes the prime target. Consequently, the critical data required attention. It was time to revolutionize how we encrypt our most active data at the database level.
This marked the inception of SAFE, initially as a solution and subsequently as a product for the commercial market.
Identifying the challenge was the simple part. Every organization possesses sensitive data that necessitates protection and relies on sensitive data for core operational functions. The subsequent step was crafting a pragmatic solution.
Paperclip SAFE is a Software-as-a-Service (SaaS) solution that transforms fully encrypted, searchable data encryption into a realistic proposition. The entire cycle of encryption, decryption, usage, and re-encryption—and the associated resources for executing these tasks—are no longer essential. Crucially, SAFE eliminates the justification for the current exposure of millions of records to data breaches and ransom attacks.
SAFE Searchable Encryption is commonly regarded as a Privacy Enhancing Technology (PET) Platform. Operating as a PET, SAFE transforms the approach to securing data at the core database level. SAFE distinguishes itself from other encryption solutions by furnishing the following functionalities:
- Complete AES 256 encryption supporting data owner and data holder key vaults – Any threat actor must compromise both distinct keys. Yet, even then, accessing the data remains unattainable.
- Patented Paperclip Shredded Data Storage (SDS) – Prior to applying AES 256 encryption, the data is fragmented, salted, and hashed. This disrupts all context and induces entropy. Envision a scenario where a threat actor manages to acquire both encryption keys. The outcome resembles running a million documents through a micro cross-cut shredder, disposing of a third of the shredded segments, substituting that third with remnants of shredded ancient encyclopedias, randomly mixing it, and scattering it on the ground like an intricate, unsolvable jigsaw puzzle. Based on current technology, reassembling all these fragments would take approximately 6,000 years.
- Always Encrypted dataset supporting complete create, read, update, delete (CRUD) functionality. – When the data is not in operation, it rests in its fully encrypted form. No more transitioning between encrypted and unencrypted states… It remains steadfastly encrypted.
- Rapid encrypted compound searching (<100 milliseconds over a standard SQL query). End users remain unaware of SAFE’s operation in the background.
- Continuous Machine Learning and AI Threat Detection and Response (TDR) – SAFE, rooted in Zero Trust, monitors and learns user behaviors. Any anomalous activity is blocked and necessitates administrative intervention. Additionally, the system monitors for SQL injections, data fuzzing, and other actions taken by malicious actors. As part of the offering, SAFE generates ample telemetry to support a Client’s Security Operations Center (SOC) monitoring service.
- Effortless JSON API integration. Although some development is involved, the outcome assures no disruption to end users, delivering an ever-accessible, perpetually encrypted dataset.
- Deployment Versatility – While SAFE is a SaaS solution, it was also crafted to function as a lightweight on-premises solution. Furthermore, SAFE can be seamlessly integrated into a third-party application wherein the third-party is entrusted with managing the Client’s sensitive data (such as outsourced applications like human resources, payroll, banking platforms, healthcare Electronic Medical Records & Personal Health Records, etc.). For organizations that outsource their sensitive data to third-party vendors, it is imperative to inquire about the encryption methods employed. What are the implications if the vendor experiences a breach? Is the data adequately encrypted?
We are engaging in a competition, one where malicious actors appear to hold the upper hand. The time has arrived to construct a superior encryption mechanism. The era of SAFE has dawned.
In today’s digitally focused business environment, the demand for searchable encryption envelops various sectors and scenarios such as Financial Services, Healthcare, Banking, Manufacturing, Government, Education, Critical Infrastructure, Retail, and Research, among others. No sector is exempt from the need for enhanced data security.
Implemented as a SaaS solution, SAFE can be operational within less than a month without disturbing end users or network structures. For additional insights on SAFE searchable encryption, please visit paperclip.com/safe.
Note: Chad F. Walter, the Chief Revenue Officer at Paperclip since June 2022 and a veteran of over two decades in cybersecurity and technology, composed this expertly crafted article.
About Author
