Cloud Hosting

Dublin-based Evervault, a developer-focused security startup which sells encryption via API and is backed by a raft of big name investors including the likes of Sequoia, Kleiner Perkins and Index Ventures, is coming out of closed beta today announcing open access to its encryption engine.

The startup says some 3,000 developers are on its waitlist to kick the tyres of its encryption engine, which it calls E3.

Among dozens of companies in its closed preview are drone delivery firm Manna, fintech startup Okra and health tech company Vital. Evervault says its targeting its tools at developers at companies with a core business need to collect and process four types of data: identity & contact data; financial & transaction data; health & medical data; and intellectual property.

The first suite of products it offers on E3 are called Relay and Cages; the former providing a new way for developers to encrypt and decrypt data as it passes in and out of apps; the latter offering a secure method using trusted execution environments running on AWS to process encrypted data by isolating the code that processes plaintext data from the rest of the developer stack.

Evervault is the first company to get a product deployed on Amazon Web Services Nitro Enclaves, per founder Shane Curran.

Nitro Enclaves are basically environments where you can run code and prove that the code thats running in the data itself is the code that youre meant to be running, he tells TechCrunch.We were the first production deployment of a product on AWS Nitro Enclaves so in terms of the people actually taking that approach were the only ones.

It shouldnt be news to anyone to say that data breaches continue to be a serious problem online. And unfortunately its sloppy security practices by app makers or even a total lack of attention to securing user data thats frequently to blame when plaintext data leaks or is improperly accessed.

Evervaults fix for this unfortunate feature of the app ecosystem is to make it super simple for developers to bake in encryption via an API taking the strain of tasks like managing encryption keys. (Integrate Evervault in 5 minutes by changing a DNS record and including our SDK, is the developer-enticing pitch on its website.)

At the high level what were doing is were really focusing on getting companies from [a position of] not approaching security and privacy from any perspective at all up and running with encryption so that they can actually, at the very least, start to implement the controls, says Curran.

One of the biggest problems that companies have these days is they basically collect data and the data sort of gets sprawled across both their implementation and their test sets as well. The benefit of encryption is that you know exactly when data was accessed and how it was accessed. So it just gives people a platform to see whats happening with the data and start implementing those controls themselves.

With C-suite executives paying increasing mind to the need to properly secure data thanks to years of horrific data breach scandals (andbreach dj vu), and also because of updated data protection laws like Europes General Data Protection Regulation (GDPR) which has beefed up penalties for lax security and data misuse a growing number of startups are now pitching services that promise to deliver data privacy, touting tools they claim will protect data while still enabling developers to extract useful intel.

Evervaults website also deploys the term data privacy which it tells us it defines to mean that no unauthorized party has access to plaintext user/customer data; users/customers and authorized developers have full control over who has access to data (including when and for what purpose); and, plaintext data breaches are ended. (So encrypted data could, in theory, still leak but the point is the information would remain protected as a result of still being robustly encrypted.)

Among a number of techniques being commercialized by startups in this space is homomorphic encryption a process that allows for analysis of encrypted data without the need to decrypt the data.

Evervaults first offering doesnt go that far although its encryption manifesto notes that its keeping a close eye on the technique. And Curran confirms it is likely to incorporate the approach in time. But he says its first focus has been to get E3 up and running with an offering that can help a broad swathe of developers.

Fully homomorphic [encryption] is great. The biggest challenge if youre targeting software developers who are building normal services its very hard to build general purpose applications on top of it. So we take another approach which is basically using trusted execution environments. And we worked with the Amazon Web Services team on being their first production deployment of their new product called Nitro Enclaves, he tells TechCrunch.

The bigger focus for us is less about the underlying technology itself and its more about taking what the best security practices are for companies that are already investing heavily in this and just making them accessible to average developers who dont even know how encryption works, Curran continues. Thats where we get the biggest nuance of Evervault versus some of these others privacy and security companies we build for developers who dont normally think about security when theyre building things and try to build a great experience around that so its really just about bridging the gap between the start of art and bringing it to average developers.

Over time fully homomorphic encryption is probably a no-brainer for us but both in terms of performance and flexibility for your average developer to get up and running it didnt really make sense for us to build on it in its current form. But its something were looking into. Were really looking at whats coming out of academia and if we can fit it in there. But in the meantime its all this trusted execution environment, he adds.

Curran suggests Evervaults main competitor at this point is open-source encryption libraries so basically developers opting to do the encryption piece themselves. Hence its zeroing in on the service aspect of its offering; taking on encryption management tasks so developers dont have to, while also reducing their security risk by ensuring they dont have to touch data in the clear.

When were looking at those sort of developers whore already starting to think about doing it themselves the biggest differentiator with Evervault is, firstly the speed of integration, but more importantly its the management of encrypted data itself, Curran suggests. With Evervault we manage the keys but we dont store any data and our customers store encrypted data but they dont store keys. So it means that even if they want to encrypt something with Evervault they never have all the data themselves in plaintext whereas with open-source encryption theyll have to have it at some point before they do the encryption. So thats really the base competitor that we see.

Obviously there are some other projects out there like Tim Berners-Lees Solid project and so on. But its not clear that theres anybody else taking the developer-experience focused approach to encryption specifically. Obviously theres a bunch of API security companies but encryption through an API is something we havent really come across in the past with customers, he adds.

While Evervaults current approach sees app makers data hosted in dedicated trusted execution environments running on AWS, the information still exists there as plaintext for now. But as encryption continues to evolve its possible to envisage a future where apps arent just encrypted by default (Evervaults stated mission is to encrypt the web) but where user data, once ingested and encrypted, never needs to be decrypted as all processing can be carried out on ciphertext.

Homomorphic encryption has unsurprisingly been called the holy grail of security and privacy and startups like Duality are busy chasing it. But the reality on the ground, online and in app stores remains a whole lot more rudimentary. So Evervault sees plenty of value in getting on with trying to raise the encryption bar more generally.

Curran also points out that plenty of developers arent actually doing much processing of the data they gather arguing therefore that caging plaintext data inside a trusted execution environment can thus abstract away a large part of the risk related to these sort of data flows anyway. The reality is most developers who are building software these days arent necessarily processing data themselves, he suggests. Theyre actually just sort of collecting it from their users and then sharing it with third-party APIs.

If you look at a startup building something with Stripe the credit card flows through their systems but it always ends up being passed on somewhere else. I think thats generally the direction that most startups are going these days. So you can trust the execution depending on the security of the silicon in an Amazon data center kind of makes the most sense.

On the regulatory side, the data protection story is a little more nuanced than the typical security startup spin.

While Europes GDPR certainly bakes security requirements into law, the flagship data protection regime also provides citizens with a suite of access rights attached to their personal data a key element thats often overlooked in developer-first discussions of data privacy.

Evervault concedes that data access rights havent been front of mind yet, with the teams initial focus being squarely on encryption. But Curran tells us it plans over time to roll out products that will simplify access rights as well.

In the future, Evervault will provide the following functionality: Encrypted data tagging (to, for example, time-lock data usage); programmatic role-based access (to, for example, prevent an employee seeing data in plaintext in a UI); and, programmatic compliance (e.g. data localization), he further notes on that.

See original here:
Evervaults encryption as a service is now open access - TechCrunch