How Does Encryption Protect Privacy and Enable Secure Processing?

  • Bessie Chu
    Bessie Chu
How Does Encryption Protect Privacy and Enable Secure Processing?

In a world of data privacy threats from malevolent actors using information to blackmail to the steady drumbeat of identity theft, there’s the ever bigger question of do you know where your data is? Do you know how it’s being protected? 

Cybersecurity Focuses on External Threats

This line of inquiry tends to lead to discussions about cybersecurity. Cybersecurity is a broad discipline but largely focuses on protecting from the actions of external attackers. This effectively means protecting assets, such as your private financial information at where you bank to the hardware running power grids, from people who want to break in, steal stuff, break stuff, extort, or cause other disruptions. Typical cybersecurity products include detection and response services (eg. EDR, XDR, NDR systems), authentication schemes, and audit systems. Another term that tends to come into play here is zero-trust, which is a security model that denies access to any resources by default and builds a chain of verification policies to make sure no one is implicitly trusted. 

What About Privacy?

An implicitly and closely related topic is privacy. While cybersecurity focuses on external threats, it does not focus on protecting the data of individuals from organizations who possess the data. The privacy of individuals can become compromised when too much data is combined. In some cases, employees in organizations have exploited data for their own ends

While there are mathematical definitions of privacy that some companies focus on, much of the public thinks of it as having their personal information not being misused or exposed. Laws like GDPR and CCPA are meant to protect consumers from this case, but in practice have arguably hobbled innovation in areas such as machine learning and AI and strengthened the power of corporations in an opposite effect.

The Current Landscape

There are also methods that alter data through tokenization, pseudonymization, or aggregation limitations of clean rooms that effectively creates red tape to get value from data. These solutions still don’t fully solve the problems around data collaboration. At their heart, these are not enabling technologies. These also don’t fully account for other use cases such as collaborating and combining data. The obvious example of medical data for research comes to mind, which is extraordinarily hard to do in privacy-minded jurisdictions. 

All of the above often creates a complex porous web of necessary security paradigms that still don’t fully solve the problem of data potentially being exposed in plaintext in the cloud while the data is in use, which is often the case. Once a breach happens, or an oversight occurs, or an employee or group doesn’t adhere to best practices, that data or other IP is at risk. 

The question then becomes how you protect while data is actually being processed on, eg. if you’re running a machine model on combined sensor data to predict equipment failure? And how do you do that without performance degradation?

One area of technology involves cryptographic methods. While we believe in future development of these technologies, these methods remain impractically slow and immature for large scale enterprise use, although they have their place in the ecosystem. In fact, we opened up our previous cryptography-based privacy project to the world open source and contributed to the White House Inquiry for Advancing a Vision for Privacy-Enhancing Technologies because of this belief.

Cape and Confidential Computing

We at Cape Privacy adopted Confidential Computing as the workhorse for keeping data and apps confidential. Hardware-based technology called Secure Enclaves underpin Confidential Computing. Secure Enclaves, also referred to as Trusted Execution Environments, have stringent limitations in input and output. Secure Enclaves also have a process called attestation that checks a number of parameters to ensure that the enclave you are communicating with is legitimate and not a masquerading actor. Secure Enclaves have the added benefit of running like any other virtual machine with near equal performance.

Grid of different security models

In Cape’s paradigm, all data is encrypted prior to leaving its original environment for confidential processing in the secure enclave. We’ve built our solution on AWS Nitro Enclaves in an encrypt, deploy, and run paradigm.

Encrypt, Deploy, and Run Flow

Before any data leaves its original environment, it’s encrypted. As an example, say you have data from several different sources. For example, datasets living in different organizational divisions or even a network of sensors. This information combined potentially reveals information about individual people or constitutes an operating advantage you wouldn’t want a competitor seeing. You may want to run some analysis on it using proprietary methods you want to protect while in the cloud. 

Data and the Trusted versus Untrusted World

Cape provides a solution to encrypt your data and apps before it is combined. We also provide a secure channel to send this to the secure enclave where you can run your model and data in a safe environment in the cloud. Only you are able to decrypt the results returned. Even Cape cannot see what’s happening in the enclave or see the output. 

By leveraging Confidential Computing to abstract away the key management process and secure processing, we at Cape believe we can be an enabling technology that protects the privacy of data and apps both from external and internal threats. Historically, dealing with key management and secure computing would require in-depth understanding of technical specifics that lie outside the typical proficiency of application developers. With Cape, application developers can just focus on the application without the cognitive overhead of how data or the function can be kept secure. 

We make it easy for you to simply encrypt your data and applications, send it to a secure enclave, use that data, and get back encrypted results only you can decrypt. While it may take your organization months to hire the staff needed and custom build a confidential computing platform, we make it easy to protect and utilize your valuable data and intellectual property in minutes.

Check out the Getting Started Docs to try Cape for free. We’d love to hear what you think.

Share this post