Original article published here at SecurityWeek.
StrongSalt Helps Customers Gain Compliance Through Searchable Encryption for Cloud Services and Enterprise Applications
Encryption is often described as the best defense against hackers, and the strongest solution for compliance with GDPR, CCPA and other data protection and privacy laws around the world.
But encryption is hard on two counts. First, while peer-reviewed cryptographic algorithms are strong, their implementation is often poor. As long ago as 1997, cryptographer Bruce Schneier warned that cryptography is harder than it looks because the systems using it are designed by engineers who think of cryptography as just another component. “Under pressure from budgets and deadlines,” he wrote, “implementers use bad random-number generators, don’t check properly for error conditions, and leave secret information in swap files.” Nothing much has changed.
The second issue is the usability of encrypted data. Data scrambled to be unusable by cybercriminals is equally unusable by the company owning the data. For these two reasons, many companies who know they should encrypt their users’ personal data simply do not.
There is a solution to the second issue called ‘searchable encryption’. This is a special subfield of cryptography that has been around since 2000 — but it has its own difficulties. These are it is generally difficult or costly to implement, and is then slow in operation. “Existing systems can achieve what they claim to achieve,” Ed Yu, founder and CEO at StrongSalt, told SecurityWeek, “but they’re just too slow.”
These are the encryption issues tackled by StrongSalt, founded in 2015 by Yu, who was formerly the founding engineer at FireEye. The chosen route has been to develop a Privacy API platform to make implementing searchable encryption easy. Just as Stripe adds payment functionality and Twilio adds CMS functionality to third-party apps, so StrongSalt offers the ability to add searchable encryption to any app using any storage for any company.
The product was announced at the AWS re-Invent 2019 conference in Las Vegas. “We’ve been working on it for four years,” Yu told SecurityWeek, “and have a number of our own patents. We’ve achieved what we think is the perfect balance of security and usability. We can allow anybody who needs their data to be completely private through encryption, but simultaneously needs to search and process it, to be able to do so. All they need is the right search keys and they don’t have to decrypt it. Encryption,” he continued, “becomes transparent to the owner, but only to the owner.” Anyone else just sees the garbled data.
The purpose is to remove the friction that accompanies the use of encryption, whether that’s managing the keys or processing or sharing the data. The prime function — the ability to process encrypted data — can be achieved in either of two manners, which Yu calls the naive and complex routes. “Since you can now search your encrypted data,” said Yu describing the naive approach, “you can now locate exactly the data you wish to process. So, from a huge dataset, you can pinpoint the precise subset that matches a query — for example, all the data on a specific customer.” From here, the approach is to decrypt and process just that subset.
The complex method is complex only in that it requires the IT team to incorporate the StrongSalt API into the way they process data. “Our system works with an encrypted index,” explained Yu. “When we search on this, based on its mathematical properties, we can search without needing to decrypt it. The structuring of the index allows direct processing on the encrypted data.”
Key management is an important and sometimes difficult part of encryption. StrongSalt provides two options. In some cases, the customer wishes to keep full control of its own keys. “But we can make it easier,” said Yu. “We can help the user rotate the keys, make backups of the keys (all encrypted so we never see them), and we do this through the API. So, the customer controls the keys, but we help with that control.”
The second option is to offload key management to StrongSalt. “We encrypt the keys and keep them fragmented. The master key is protected by hardware. From the master key we generate other keys, the sub-master keys, and from them we generate the encryption keys. This allows multiple layers of encryption for the keys, each of which can be stored separately.” This is all hidden from the customer, who doesn’t need get involved.
The StrongSalt API is storage agnostic, and will work with any storage already specified by the app. So, if a customer uses and wishes to continue using Box, or AWS or Azure, it can do so. However, “in some cases,” continued Yu, “the customer chooses to use our own storage back-end.” This comprises storage within multiple cloud providers.
“In these cases,” he said, “we use blockchain to chop the data into many different pieces and then use an algorithm to disperse it around different cloud systems. Blockchain is used to keep track of all the different pieces so that the files can be reconstructed when needed.”
Blockchain is also used to keep audit records, where data sharing, opening, creating, deleting and moving are recorded. “We can verify and audit all such actions in an immutable blockchain journal.”
But seeing is believing, and Yu understands this. For hands-on demonstration purposes, he has created a StrongSalt stand-alone app for Android and iOS. Called StrongVault, this is available free of charge from the official stores. Not only is it free of cost, it is free of all other encumbrances. Users do not need to register or provide any personal information. Encrypted data goes straight into the StrongSalt storage back end, and since StrongSalt has neither user details nor encryption keys, it knows nothing about the user nor the data. While this was developed as a demonstration of the StrongSalt Privacy API for enterprises, it is effectively also a gift to consumers who might want searchable encryption for cloud-stored sensitive data from their phones and tablets.