The 4 Untold Pains of Data Protection Solutions
- Itsik Musseri
- 4 minute read
Data exists and flows between complex hybrid, multi-cloud infrastructures. This has brought some valuable advantages to our businesses. But it has also cultivated a crowded landscape of solutions that claim to solve the resulting data security caveats that arise from this reality.
It is clear to anyone building a data protection strategy - there is no “one solution catches all”. For each use case - there are limited options that may suit. Within the enterprise context this takes another turn - since the number of unique use cases significantly increases.
Adhering the Enterprise Data protection needs
Given this multitude of technologies one would think that you only need to “mix and match” to build the ultimate data protection stack. But as a matter of fact, in order to determine if a data protection solution is compatible with a use case, besides specific functionality organizations also consider the following factors:
- Integration and deployment flexibility - Enterprises create different types of environments, which include various types of databases, data sources and various cloud and on-premises services integrated with them. For a solution to fit a specific use case it needs to:
- Support the said cloud provider
- Have good connectivity to the database or data source. On top of that, such a solution should be platform agnostic and support on-premises, private and public environments and should be able to protect both structured and unstructured data.
- Code changes- Some solutions require code changes to be done to the applications logic or business flow in order to utilize the solution or to integrate with additional components (like cloud-based HSM). Naturally, code changes cannot be done in the very common case of migrating 3rd party or legacy applications and this requirement forces organizations to re-platform the entire environment. On top of that, this adds additional risk to an already risky migration project and adds development overhead which might result in many person-months.
- Data protection level - A higher protection level is introduced by adding difficulty to uncover the data behind. This can be reached by utilizing fully-randomized, non-deterministic encryption. Techniques like tokenization, hashing or other types of deterministic encryption are considered less secure and breakable in some situations.
- Performance - Performance hit is often introduced, especially when utilizing some of the modern runtime encryption methods. Any bank providing information through a cloud based digital banking application can’t allow its clients to wait an hour to obtain their account balance. Obviously, any protection solution should introduce negligible performance hit, in order to maintain application operability and user experience.
Enterprise-tailored data protection solutions
As we zoom into the “data protection” market landscape, we can clearly see that there is a set of commonly adopted solutions that can potentially match the most frequently met enterprise use cases. From our conversations with enterprises we summed up this set into four technologies/methodologies. However, when weighting them in with the said considerations - they don’t always manage to stand out:
How does it work? Replacing the protected data with a constant string which represents it.
Why not? This method breaks the application operability and ability to process over tokenized data and requires de-tokenization of the data. It also does not support protecting unstructured data. Tokenization is considered to be providing a reduced level of protection compared to encryption, and the method is not key-based, and is breakable under various situations.
BYOK combined with database Encryption
How does it work? Bring Your Own Key (BYOK) is a method in which users upload their own encryption keys to the un-trusted environment (CSP or SaaS). These keys are stored in a cloud-based HSM and are used by the remote infrastructure to decrypt data before it is processed. The keys are used to encrypt and decrypt the data when it is not used by the infrastructure and is stored in a cloud-based database or storage ("encryption of data at-rest").
Why not? This solution, while secure, introduces high complexity in the deployment process and in maintenance, as it requires integrating and deploying a specific solution for each environment (on-premises or cloud) and for each database. It is not uncommon that deployment of such a solution will require additional code changes.
Fully Homomorphic Encryption (FHE)
How does it work? FHE is an encryption method which creates new types of operations over encrypted data which allow the data to be processed and manipulated in various forms without the need of decryption. In theory, it provides the ability to fully protect the data while still allowing remote applications and logic to process it without decryption.
Why not? In practice, this method is still not mature to support real-time enterprise workloads and introduces extreme performance overhead (100s to 1000S of presents). On top of that it requires massive code changes to be done to the applications and databases, which does not allow it supporting any 3rd party workloads. This method is often used for running privacy-preserving off-line ML/AI computation.
Confidential compute - Trusted Execution Environment (TEE)
How does it work? TEE is a hardware-based method which makes use of a unique cpu configuration to provide high level of security to the operations done by an application on the relevant data.
Why not? While the protection level provided is still under academic debate, it is clear that utilizing it for data protection purposes requires code changes to be done to the application and database, which makes it almost unusable for most 3rd party workloads. TEE-based solutions are currently mainly used for developing new-generation secure virtual HSMs.
Combining functionality with flexibility
Kindite's solution was created to fill the void these technologies can’t. Kindite’s platform is based on "Collaborative Encryption" technology which helps create a unique solution for enterprise cloud-based environments. It solves two common gaps in currently created cloud environments:
- Complexity and Scale - many applications, some hybrid, deployed on multiple cloud environments and collaborating over large amounts of data
- Multitude of new technologies, applications, and data sources each with its own, separate security solution
Among other aspects, a data protection solution should be able to reduce the complexity of the resulting environment (or at least not create additional complexity) and be able to natively support multiple environments interconnecting between on-premises, private or public cloud.
Data protection level - Kindite creates a pure Hold Your Own Key solution. It allows customers to upload sensitive data at the public cloud and keep it encrypted at any given point in time - at rest, in transit or in use, while keeping encryption keys in the trusted, on-premises environment. This separation between the location of encrypted data and the location of encryption keys provides the highest level of protection to the data while maintaining the highest level of control over encryption keys. Kindite is utilizing strong, non-deterministic and standardized encryption algorithms and protocols to protect data and allows encrypted data processing without compromising the level of security and entropy of the resulting cipher.
Performance Kindite's solution does not have any effect on the cloud-based application, and cloud-based logic continues to operate normally and natively over encrypted data, without decryption. Kindite's solution introduces negligible performance overhead - up to 10% over the usual application performance.
Integration and deployment flexibility + Code changes - This level of application operability can be achieved without making any code changes to the cloud-based application nor to the cloud-based database. Kindite's solution is fully dockerized and can be easily deployed and integrated into any environment - on-premises, private, hybrid or public cloud.
To read more about Kindite’s solution click here.