Security

10:00 AM
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

First Cryptography Advisory Board Formed for Cloud Security

Skyhigh Networks assembles a board of cryptography experts to consider a range of academically vetted cryptographic solutions that do not reduce functionality.

A group of accomplished experts in cryptography research have announced they are forming what is believed to be the first industry-focused Cryptography Advisory Board. The board will provide oversight of encryption schemes for cloud security to ease the adoption of cloud services.

Data security continues to be one of the major hurdles preventing companies from moving data to the cloud, and for good reason. Enterprises worry about cloud data breaches, NSA surveillance, and court orders that can subpoena documents holding sensitive information (with which many cloud providers willingly comply). Increasingly, firms want to secure files with encryption to hinder outside parties who access sensitive documents from being able to read them.

“The problems that the industry is starting to solve are very challenging,” says board member Ari Juels, professor at the Jacobs Technion-Cornell Institute at Cornell Tech, and former chief scientist of RSA. When companies place data in the cloud it’s up to the cloud providers to make sure policies are enforced. There’s growing interest in the industry to take back power from cloud providers, and that creates some technical tensions. “Cryptography helps, but it has to be implemented well, and rigorously.”

[Read more about cloud encryption: Encrypting Cloud Email Isn’t as Easy as You'd Think.]

The board will collaborate with Skyhigh Networks, a firm that analyzes the risks of cloud applications and helps organizations build security strategies. The board will ensure Skyhigh is aware of the world of development in academic research and have available to it the latest research and technologies relevant to its business.

Juels says, rather than invent technologies from scratch, the board wants to make sure businesses are incorporating solutions properly and rigorously into product, with strong security guarantees on behalf of their customers. “It’s easy to get cryptography wrong,” he says. “It’s hard to build a cryptography scheme well and robustly.”

Most of today’s encryption implementations have significant drawbacks, he explains. Homomorphic encryption seemed to solve all problems as it made it possible to perform general computations over encrypted data, but it proved too inefficient. For example, a provider can manage email without actually seeing it, or store corporate data and perform analytics on it but not actually see it. However the computational overhead is on the order of 10 million versus ordinary unencrypted software. It also solves a narrow subset of problems as it doesn’t consider that clients increasingly want shared relationships with their cloud providers’ data.

Newer encrypted hardware solutions allow data to be managed in a trustworthy environment, but it assumes the cloud provider isn’t able to tamper with the pieces.

The board will consider a range of cryptographic approaches looking for practical schemes that do not reduce functionality, including search, sort, and format validation.

“It is mutually beneficial when the worlds of academia and enterprise collaborate," says board member Alexandra (Sasha) Boldyreva, Associate Professor in the School of Computer Science in the College of Computing at the Georgia Institute of Technology in the press release. "The cross-pollination gives academics insight into the new problems enterprises need to solve, and our scrutiny provides enterprises with stronger solutions, translating to benefits for customers.”

Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Becca L
50%
50%
Becca L,
User Rank: Author
11/30/2014 | 12:09:01 PM
Re: You may want independent experts that validate instead?
Definitely an option. But do they not get some of their expertise from groups like this advisory board?
anon0872878416
50%
50%
anon0872878416,
User Rank: Apprentice
11/27/2014 | 1:02:00 PM
You may want independent experts that validate instead?
You may want independent experts that validate instead?
Becca L
50%
50%
Becca L,
User Rank: Author
10/30/2014 | 4:28:42 PM
Re: Encryption Technology
Aaaan this is why people lawyer up, hire consultants, etc. Devil is in the details.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
10/30/2014 | 4:24:45 PM
Re: Encryption Technology
That's just it, some clients who are new to the cloud don't know to include that in the contract.
Becca L
50%
50%
Becca L,
User Rank: Author
10/30/2014 | 4:21:19 PM
Re: Encryption Technology
I'm genuinely surprised by that. You would really think that's a 101 "don't do that" and clearly laid out in the contract.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
10/30/2014 | 4:18:28 PM
Re: Encryption Technology
Also some cloud providers give up their clients' data without notifying the client. That's a big reason to keep the keys out of their hands.
Becca L
50%
50%
Becca L,
User Rank: Author
10/30/2014 | 1:11:25 PM
Re: Encryption Technology
Possible, but less efficient. I agree it's important for the keys to remain with the organization. This is especially imporant when you start wuestioning the cloud provider's right to turn over data to authoriteis who request it. A firm may decide to contest, but some cloud providers dont have the time or concern to put up a fight. These are concerns that need to be hammered out in the current system. In a perfect world with advances in encryption technology, this will be a non-issue.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
10/10/2014 | 10:23:22 AM
Re: Encryption Technology
And if hackers grab the data, it will be gibberish to them.  With the attack on JP Morgan, it hasn't been mentioned if the customer data was encrypted or not.  If data like customer names and phone numbers was encrypted, then hackers  couldn't decipher it. Since this wasn't mentioned in news reports, I tend to think it wasn't encrypted.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
10/9/2014 | 1:51:00 PM
Re: Encryption Technology
That's where the ability to encrypt data while it's in use comes in. If you can keep data encrypted while you're using it, then there's no need for the cloud provider to ever have the encryption keys, as there's no reason for them to ever decrypt the data.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
10/9/2014 | 1:47:52 PM
Re: Encryption Technology
Security surrounding data in the cloud is definitely one of the largest hurdles to adoption, so this Advisory Board should help.

It's also important that the financial firm hold the encryoption keys, not the cloud provider. Or if the firm doesn't hold the keys, a 3rd party should have the keys. Allowing the cloud provider to hold the keys is simply too dangerous.
Page 1 / 2   >   >>
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video