Data breaches and other forms of cybercrime have been problems for years, but have seen explosive growth throughout the pandemic. The cybersecurity advice given to business and organisations in 2022 is that it’s no longer a matter of what to do “if” your business is attacked by cybercriminals, but a matter of what to do “when”.
One of the most important things to do when you are attacked is to establish what data was accessed or removed. You need to quickly establish just how bad the situation is and which stakeholders (be they customers, investors or other organisations) might be affected. The loss or compromise of the most sensitive data is a nightmare scenario.
What if you didn’t need to worry?
What if data could be kept secure throughout the entire cycle of both acquisition and use?
Fundamental advances in information protection now offer the capability to protect data at every singe stage, from creation onwards. Optalysys enable a world in which data protection is the default.
Securing data against attack is well understood to be a difficult problem. It’s complex, expensive, and prone to error, yet data protection is mandatory because organisational failure to protect data can cause legal, financial and reputational harm.
However, an inability to use data can be almost as harmful. Not only is it a disadvantage in a competitive landscape, but the process of collecting, managing and storing data costs money. Data can only be truly valuable to an organisation when the advantage it provides is greater than the cost of the supporting infrastructure. Managing and securing information for organisational success therefore means striking a delicate balance between the risks and rewards of data.
Under contemporary methods of data protection, this balance isn’t easy to achieve. As of 2020, a major survey by Seagate revealed that only a third of the data collected by organisations could be put to use, with data security being the main limiting factor. At the same time, the number of breaches rose by a further 20.5% in 2021.
Having to store data that can’t be used but can introduce risk is the worst possible outcome for an organisation, yet it’s both common and hard to fix.
In some cases, data exists in a silo for a reason. It may be governed by regulation, or by confidentiality agreements. You may even have legal obligations to collect information that you are then held responsible for, but cannot otherwise use to enhance your business.
Even in cases where those data silos can be broken down, there are still risks. Information flowing more freely within an organisation often delivers additional value at the cost of expanding the attack surface for both internal and external threats.
At first glance, this aspect of risk and reward appears to be fundamental. Data is powerful because of what the relationships within datasets can reveal. Data relating to people and organisations is therefore often extremely sensitive. While it can provide some of the most meaningful insights, it can also readily reveal information which is private or confidential.
Breaking or controlling the ability to access or understand these relationships is inherent to the idea of data protection, yet this also harms our ability to share and use it. Even recognised and accepted techniques for data protection (such as anonymisation) aren’t sufficient to guarantee safety, yet often limit the insight that can be obtained from the dataset.
However, what if this wasn’t the case? What if we could simultaneously make data safer while making more and better use of it?
Recent years have seen the rise of technologies that are intended to tip the balance in favour of the data holder. These are collectively known as privacy-enhancing technologies (PETs), a rapidly advancing field of innovative data protection techniques that aim to overcome the limitations of contemporary methods.
The importance of PETs and their role in enhanced data protection is increasingly being recognised by regulators and governments at the highest level, with the US and the UK governments launching a to drive the development and advancement of PETs to tackle some of the biggest societal challenges around the globe.
One of the most significant limitations in data protection comes from the way in which access to information is controlled by making it unreadable to anybody without authorisation. This process, known as encryption, is critical to modern information security.
In your daily life, you encounter encryption whenever you open a trustworthy website, check your bank balance, or send a message. In the broader scope of things, encryption is fundamental to the security of everything from electronic banking through to online workspaces, military communications and medical records.
Encryption is a powerful method for protecting data because it is by design nearly impossible to reverse the process unless you have a specific piece of mathematical information. By controlling access to that information, you can control who can read and use that data.
However, current methods of encryption have flaws. The first of these flaws is due to the rise of quantum computing. Some of the most important and commonly-used tools in cryptography are highly secure against classical computers, but quantum computers enable novel mathematical capabilities that can break these methods.
This has led to a race to identify cryptographic methods that are secure even against quantum attack, which has recently culminated in the release of a standard cryptography scheme for post-quantum internet security. The shift of business and governmental organisations to post-quantum security standards is eventually going to be mandatory.
The second and more fundamental of these flaws stems from the same inherent problems with data. Using data means we need to be able to do things to it that change or work on the information content. As encryption protects data by mathematically obscuring it, not only does this completely remove our ability to understand the content of the data, but most forms of encryption also remove our ability to change the underlying information.
This is beneficial when information is in storage or in transit, but this also means that before we can do things with data, we first need to strip away the protection offered by encryption.
That’s a risk within an organisation’s own computing systems, but it’s especially important in an increasingly connected and cloud-based world. Processing or sharing data increasingly means sending it to infrastructure that you might not directly control, and trusting other organisations and services to keep that data safe is becoming ever more difficult.
This is why a PET technique called fully homomorphic encryption (FHE) is so revolutionary. FHE is a new method of encryption that allows us to perform computational operations on data without needing to decrypt it first. By allowing data to be wrapped in encryption at every point in the data cycle, it is never exposed to threats.
Not only does FHE allow us to overcome the fundamental problems of data protection and use, but the underlying lattice-based cryptography is also resistant to attacks from both classical and quantum computing, ensuring that information protected by FHE will stay protected well into the future.
If we want to understand FHE from a business perspective, consider the following scenario. Several insurance companies want to improve their fraud detection capabilities by looking for trends in accident claims. All companies would benefit from having access to each other’s data, but under the contemporary model of data security this is incredibly difficult to accomplish. None of these companies wants to share confidential information; besides clear regulatory restrictions on how customer information can be used, companies within a sector are frequently competing for the same customers and don’t want to expose data that the other firms could use to gain an advantage.
FHE isn’t just a way of protecting information within organisations. By enabling blind computation, FHE allows information to be outsourced, shared and used while providing just as much protection as if it was held in a protected data silo. Under FHE, the insurance companies can securely merge their databases, perform statistical operations over the data, and collectively retrieve the output while protecting their own inputs.
Everyone benefits, yet data is never put at risk.
This scenario can be extended not just across industries that currently make extensive use of data, but to applications in which data is so sensitive that collaboration has previously been nearly impossible. From healthcare to finance, FHE will reshape the threat landscape in favour of data protection while offering entirely new avenues for service provision and data monetisation
The capabilities of FHE come at a cost. Computing with FHE involves working with data in a form that isn’t well suited to conventional hardware and is correspondingly much slower than working directly on unprotected data. In fact, right now FHE computing is approximately 1,000,000x slower than the alternative.
At Optalysys Ltd, we are overcoming this problem and unlocking the full capabilities of FHE. We are a UK company working exclusively on the development of a hardware-based accelerator specifically to address the computational demands of FHE.
Unlike conventional computing hardware, we use the properties of light to perform a critical mathematical function that makes up the bulk of the FHE computing workflow.
Through a combination of software and hardware improvements, we can vastly improve on the performance of FHE with the ultimate goal of enabling encrypted data to be processed at the same speed as unprotected information.