The move from on-premise to the cloud was supposed to keep sensitive data safe by storing it off site. However, businesses are now discovering that the cloud isn’t as secure as they were led to believe. This is why many organizations have turned to encryption to help secure their data but this method is only able to secure data while it is in transit or while it’s at rest.
TechRadar Pro spoke with Unbound’s co-founder Professor Nigel Smart to learn how businesses can protect their data in the cloud and why multi-party computation could be the next big thing in cryptography.
What new security challenges arise when businesses decide to move their operations to the cloud?
On one hand, placing your security in the hands of a professional cloud provider will increase your security in some respects. You have access to economies of scale in security infrastructure and expertise, which most companies can only dream about. On the other hand, you are placing your data in other companies’ computers, and perhaps in another country. This leads to potential security and legal problems.
Why is traditional encryption no longer enough for businesses in today’s digital age?
Traditional encryption is about securing data in transit (think of when you send your credit card details to an online merchant), or in securing data at rest (think of hard disk encryption products). But data is useless unless it is processed, this is where the next generation of encryption technologies come in. These allow you to secure data whilst it is being processed.
Your company uses multi-party computation to help protect encryption keys. Can you explain how this technology works?
One of these technologies which provides security of data whilst it is being processed is called “Multi Party Computation” or MPC. At Unbound we split the cryptographic key into different pieces, each one revealing nothing about the underlying secret. We are then able, using MPC, to compute on these pieces without bringing them back together.
Thus, we obtain security of the key whilst it is being processed. When combined with traditional encryption of data at rest and in transit, this provided a fully secure methodology to store, manage and more importantly use keys.
How does MPC prevent cryptography keys from being stolen or lost?
Think of splitting the key into two. Piece X and piece Y. We can think of X as an encryption of the key, and Y as the key which decrypts this, or vice-versa. X contains no information about the key, and neither does Y. Therefore, if X is lost or stolen it reveals no information. Using MPC we can still use the key, without ever bringing X and Y back together again.
How is MPC being used to provide high trust authentication for company’s BYOD policies?
Applying strong multi-factor authentication for BYOD can provide both a good user experience and higher security. But the challenge is that user-owned devices are inherently insecure and cannot be trusted. The authentication keys kept inside users’ mobile devices are vulnerable to compromise or misuse. With MPC, companies can adopt a very high trust method of authentication using cryptographic keys that are split between the mobile device and a server, therefore the key is never present on the device and cannot be compromised or cloned even if the underlying device is compromised.
Are there any other applications for MPC that have yet to be realised?
MPC in theory can compute any function securely. So, you can use it to enable two or more companies to securely share a database of customers say, without ever revealing the actual details of the customers to each company. This would enable a large number of new privacy preserving business models to arise. However, at present MPC technology is still in its infancy, and such complex “big data” applications are just beyond what is currently feasible. But people are working on turning this vision into reality.
What will the future of cryptography look like?
We are going to see more and more cryptography in all sorts of applications. Not only in new applications like secure computing, but also traditional cryptography in new devices such as IoT.
In addition the potential advent of a quantum computer is leading cryptographers to investigate areas such as post-quantum cryptography.