Homomorphic encryption continues to entice cryptographers and academics. But is this technology ready for widespread deployment in enterprise environments? Our CEO and Co-founder Ameesh Divatia contributed his thoughts on the topic in a recent Dark Reading article. We will continue to explore the technology here in our new series, Homomorphic Encryption Explored.
One of the key challenges for security leaders and practitioners today is implementing security methods without interrupting the flow or speed of business. This contrast of speed vs. security has infused our lives across multiple areas. There are several everyday examples of how security intervenes in our lives that ultimately slow us down or are, conversely, considered a convenience or are invisible.
Consider two-factor authentication and SMS verification codes as opposed to FaceID on your phone or other biometrics for authentication — which one do you groan at and which occasionally can make you smile? The TSA at the airport represents another fairly common security check that we tolerate when we understand the risks that we’re offsetting. However, most people would not tolerate the same level of security inspection boarding a bus or a train.
This trade-off of “ease of use” or “invisible security” against real security is one that savvy security practitioners are well aware of and has direct implications for why homomorphic encryption is capturing mindshare and gaining quite a bit of hype. It represents a holy grail for encryption and data security that enables the best of both worlds — real data security AND “invisible security”. This blog is the first in our series, Homomorphic Encryption Explored.
Download the Gartner Cool Vendor Report on Privacy Preserving Analytics
Key Advantages of Homomorphic Encryption
With homomorphic encryption, organizations can establish a higher standard of data security without breaking business processes or application functionality. These organizations can ensure data privacy, while still deriving intelligence from their sensitive data. This is incredibly important these days in the wake of GDPR and the upcoming California Consumer Privacy Act, both of which impose stiff penalties and fines for misuse of collecting, handling or transferring data.
Use cases of homomorphic encryption include cloud workload protection (or “lift and shift” to cloud), aggregate analytics (privacy preserving encryption), information supply chain consolidation (containing your data to mitigate breach risk), and automation and orchestration (operating and triggering off of encrypted data for machine-to-machine communication).
Disadvantages of Homomorphic Encryption
But homomorphic encryption still falls short in the real world. In fact, many security folks would consider it complete BS. It is still, despite dramatic improvement over the years, incredibly slow and non-performant, making it a non-starter for most business applications. There are important open questions about its underlying encryption strength as well with recent analysis suggesting that the method leaks privacy information and may be subject to compromise. And organizations cannot run ad-hoc/discovery-based queries with its methodology.
One of the most significant disadvantages is that homomorphic encryption requires either application modifications or dedicated and specialized client-server applications in order to make it work functionally. . And organizations cannot run ad-hoc/discovery-based queries with its methodology. This increases your total cost of ownership and distracts your organization from more important and strategic initiatives.
Perhaps even more significantly, there are important open questions about homomorphic encryption’s underlying crypto strength with recent analysis suggesting that the method leaks privacy information and may be subject to compromise.
The good news is that there are tools on the market today, such as Baffle Advanced Data Protection, which provide the benefits of this technology, but without the inherent drawbacks that homomorphic encryption brings.
Want to learn more? Watch our 90-second video on how Baffle can operate on encrypted data without any application code modifications and still preserve application functionality, or request a demo with one of our experts.