Protect and Index Sensitive Data with Polymorphic Encryption – thenewstack.io

admin on June 1, 2022 Leave a Comment

Anshu Sharma

Anshu Sharma is the co-founder and CEO of Skyflow, a data privacy vault that allows B2C companies to secure sensitive customer data.

What if you could run real-time queries on data that remains safely encrypted? That might seem nonsensical at first doing anything with encrypted data is usually cumbersome, resource-intensive, and slow. But real-time queries on sensitive data arent just possible, theyre very practical, especially when working with sensitive personal data (PII). The key is polymorphic encryption, and it should be a part of any modern data privacy stack.

In this article, Ill discuss what polymorphic encryption offers to developers and how it balances the need to use data with the need to protect data. To understand polymorphic encryption, we should start with a look at homomorphic encryption, which also aims to address data security and data usability.

Homomorphic encryption is widely considered to be the gold standard of encryption because it supports arbitrary operations on encrypted data without first decrypting it. The idea is that you perform operations (like multiplication and addition) on two encrypted values to get an encrypted result. Then, you can decrypt that result to the same value youd get if you performed that operation on plain-text values.

With the most extensive homomorphic encryption schemes, theres a wider range of operations available that can be performed repeatedly. On the surface, it seems like this lets you both secure sensitive data and use it.

But, there are some issues with homomorphic encryption. And looking at these issues makes it clear why homomorphic encryption isnt more widely used. While its often referred to as a gold standard, it has some practical shortcomings just like the monetary gold standard has practical shortcomings in economics.

With polymorphic encryption, the data is encrypted in multiple forms, with multiple keys, with specific functions for the data associated with each encryption set.

One issue with homomorphic is that it requires too much computing power for most companies to use. The computing resources required for fully homomorphic encryption mean that even with massive computing power, user experiences relying on it are incredibly slow. How slow? Slow enough that most companies would avoid it because of latency issues. Microsoft even notes in their homomorphic encryption library docs that homomorphic encryption isnt efficient. Such performance issues make homomorphic encryption unworkable for most business applications.

So why does homomorphic have these performance challenges? Its because homomorphic encryption is the expression of an ideal to be able to run nearly any operation on encrypted data that is divorced from the actual needs of most developers. The actual need often faced by developers is to run a few well-known operations on sensitive data. How often do you really need to support running a wide range of computations on sensitive data? And, why should your encryption scheme perform poorly to support these unneeded operations?

For example, you might need to determine the location of a customer by running a matching operation on their encrypted phone number, examining the country code or area code. But, I cant think of a good reason to ever perform multiplication or addition on a customers phone number. So, why endure slow performance to support that operation?

The real issue with homomorphic encryption lies in its goal: to run a wide range of operations on encrypted data, while choosing which operations to support after encryption.

Homomorphic encryption borrows its first term from the mathematical idea of homomorphism, which refers to the mapping of one mathematical object to another while preserving the structure of the first object. With homomorphic encryption, only one set of encrypted data is created and only one key can be used to decrypt the data. This is powerful but inflexible and computationally slow.

Polymorphic encryption gets its name from the computer science concept of polymorphism, where a single interface or symbol represents many data types. With polymorphic encryption, the data is encrypted in multiple forms, with multiple keys, with specific functions for the data associated with each encryption set. This is equally powerful, but much more flexible, secure, and computationally much faster.

So, while its similar to homomorphic encryption in some ways, there are a few important differences with polymorphic encryption:

A few examples of how a business might use polymorphic encryption help to illuminate how you can manage what seems like the intractable conflict between the need to secure data and the need to use it:

In both of these scenarios, polymorphic encryption lets you support business workflows without decrypting data. You arent decrypting an entire field from your SSN or credit score table, let alone fetching these values for all customers.

This is great from a data security perspective because the last thing any chief information security officer wants, other than a data breach, is employees decrypting more data than they need and caching it locally because thats the path of least resistance to do their jobs.

Balancing the need for data privacy and data usability requires us to take a new approach to storing and encrypting data and acknowledge that data security that doesnt support critical workflows isnt really robust security.

Polymorphic encryption delivers what homomorphic encryption promises because its scoped to what business workflows actually need from sensitive data. It provides a better-performing solution because it doesnt support unnecessary operations on your most sensitive encrypted data. Instead, it supports and secures operations needed for key business workflows, like comparison and exact match on partial records.

Note: This article discusses polymorphic data encryption. Polymorphic data encryption is distinct from polymorphic key encryption, in which encryption keys rotate, but data is unusable unless you fully decrypt it.

Feature image via Pixabay.

Read more:
Protect and Index Sensitive Data with Polymorphic Encryption - thenewstack.io

Related Posts
Posted in Encryption

Comments are closed.