A group of accomplished experts in cryptography research have announced they are forming what is believed to be the first industry-focused Cryptography Advisory Board. The board will provide oversight of encryption schemes for cloud security to ease the adoption of cloud services.
Data security continues to be one of the major hurdles preventing companies from moving data to the cloud, and for good reason. Enterprises worry about cloud data breaches, NSA surveillance, and court orders that can subpoena documents holding sensitive information (with which many cloud providers willingly comply). Increasingly, firms want to secure files with encryption to hinder outside parties who access sensitive documents from being able to read them.
“The problems that the industry is starting to solve are very challenging,” says board member Ari Juels, professor at the Jacobs Technion-Cornell Institute at Cornell Tech, and former chief scientist of RSA. When companies place data in the cloud it’s up to the cloud providers to make sure policies are enforced. There’s growing interest in the industry to take back power from cloud providers, and that creates some technical tensions. “Cryptography helps, but it has to be implemented well, and rigorously.”
[Read more about cloud encryption: Encrypting Cloud Email Isn’t as Easy as You'd Think.]
The board will collaborate with Skyhigh Networks, a firm that analyzes the risks of cloud applications and helps organizations build security strategies. The board will ensure Skyhigh is aware of the world of development in academic research and have available to it the latest research and technologies relevant to its business.
Juels says, rather than invent technologies from scratch, the board wants to make sure businesses are incorporating solutions properly and rigorously into product, with strong security guarantees on behalf of their customers. “It’s easy to get cryptography wrong,” he says. “It’s hard to build a cryptography scheme well and robustly.”
Most of today’s encryption implementations have significant drawbacks, he explains. Homomorphic encryption seemed to solve all problems as it made it possible to perform general computations over encrypted data, but it proved too inefficient. For example, a provider can manage email without actually seeing it, or store corporate data and perform analytics on it but not actually see it. However the computational overhead is on the order of 10 million versus ordinary unencrypted software. It also solves a narrow subset of problems as it doesn’t consider that clients increasingly want shared relationships with their cloud providers’ data.
Newer encrypted hardware solutions allow data to be managed in a trustworthy environment, but it assumes the cloud provider isn’t able to tamper with the pieces.
The board will consider a range of cryptographic approaches looking for practical schemes that do not reduce functionality, including search, sort, and format validation.
“It is mutually beneficial when the worlds of academia and enterprise collaborate," says board member Alexandra (Sasha) Boldyreva, Associate Professor in the School of Computer Science in the College of Computing at the Georgia Institute of Technology in the press release. "The cross-pollination gives academics insight into the new problems enterprises need to solve, and our scrutiny provides enterprises with stronger solutions, translating to benefits for customers.”Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio