Encryption is changing how businesses approach security.
In 2017, the cybersecurity world was rattled by major data breaches, unsecured cloud storage buckets and the increasing sophistication of cyber-criminals in the internet of things (IoT) age.
Many businesses of all sizes are only now beginning to grasp the importance of the safety and security of their online information and assets.
People are more conscious of their digital privacy, and the concept of encryption is gaining popularity even among individuals using products such as WhatsApp and Signal.
Siliconrepublic.com spoke to Randy Battat, co-founder, president and CEO of PreVeil – an end-to-end encryption application for email, file-sharing and storage – about the advantages of his company’s technology.
Born out of research carried out by experts from MIT and Berkeley, PreVeil aims to protect all user data, as opposed to the legacy method of building taller walls around enterprise IT systems and cloud storage facilities.
Battat co-founded PreVeil in 2014 with Sanjeev Verma and Raluca Ada Popa. It was Ada Popa’s research into computation on encrypted data that led to the establishment of the company, said Battat. “We got excited about applying this idea to everyday business ideas like email and file-sharing.”
Servers are vulnerable
Battat explained that servers are far too vulnerable to bad actors as, once the defences are compromised, unencrypted, plaintext information can be found and exploited. “The basic idea is that a server is a repository for people’s information and messages and so forth.
“Server breaches are the source of the big data leaks that we see and hear about every day, and the idea behind end-to- end encryption is: the bad guys cannot steal what they cannot see.”
He continued, adding that if everything is encrypted and the server can never see the plaintext data, “then you can take anything you want off the server but you’ll never get anything useful”.
Battat describes this as a 180-degree turn from the way servers were initially built, doing all of the heavy lifting. As opposed to the server having all of the processing pushed into it, you push more of it into the device. The server remains a repository but, if a hacker can never get a key, access to the server alone is useless.
He also noted that encryption shouldn’t just be reserved for top-secret financial documents and the like, pointing to the Sony email hack in 2014. The emails themselves didn’t exactly reference classified information, but did succeed in doing some serious reputational damage. In business terms, Battat added: “The stuff that should remain secret is pretty much everything that you do.”
Resolving some issues with encryption
So, how does PreVeil do what it does? Battat said the company uses “very standard cryptographic methods” and “software that is open source and has been validated”, putting the two together in different ways.
He added that although encryption is by no means a new technology, it is complex and the PreVeil team has had to solve some tricky issues, such as: what if a user loses their key that is encrypting their information?
That’s where shared trust comes in, explained Battat. “You do want an administrator to help you get your key back, or get corporate data if there’s litigation happening, so that’s where we had this idea of distributed trust.
“Instead of every administrator in an organisation having key access, you can set it up so three out of 10 of your administrators have to agree to grant access, or two out of five plus the CFO of the company.”
Battat explained that end-to-end encryption needs to be so easy to use that it is practically invisible. Encryption and distributed trust could mean the end of traditional passwords as we know them. “Ease of use is the fundamental key to getting encryption adopted. A lot of people hate passwords, because they have to change them all the time.
“Look at what we all do; we’re supposed to use a different password for each platform and change them every few months, but we write them down in insecure places. What if we just got them out of the way?”
He added that with the rapid pace of change in terms of attack vectors, encryption will be coming to the fore as the year progresses. “One doesn’t want to say other approaches aren’t useful because they certainly are, but end-to-end encryption is rapidly emerging as a new way to add more protection to information, and I think we’re just at the beginning of seeing this as a huge trend in security.”