With the ever-expanding digital nature of our businesses and world, the need for encryption applications to ensure privacy, secrecy, and compliance is always increasing. At the same time, encryption is essentially an ongoing arms race between cryptographers and bad actors, as constantly increasing computing power means that even today’s best encryption methods will eventually be breakable.
Security professionals must therefore deal with both increasing use cases for encryption, as well as ever more complex methods of cryptography and key management. And this means that the solutions they use for encryption and key management must constantly prepare for new use cases and new encryption methods to ensure that their solutions continue to be effective and enable their customers to smoothly address them as required.
Let’s look at a few of the many, many use cases that key managers must be capable of handling in today’s security environment, as well as a few that are on the verge of widespread use and that Ntrinsec is already moving to address for its customers.
A FEW OF TODAY’S MOST COMMON USE CASES
- Passwords – Passwords are widely used to limit access to both internal and external information, but no matter how long or complex, passwords are still just plaintext entries that, once compromised, can be used by any bad actor. By algorithmically encrypting passwords and protecting their keys, companies or services that store user passwords can prevent their misuse even if a data breach exposes them.
- Credit Card Information – Companies who allow users to store and re-use their payment data must encrypt that data so that it cannot be accessed and used by bad actors. This is not only a liability issue but also a compliance issue, with fines and penalties assessed based on PCI standards.
- Privacy – Companies and services must ensure that any private data they collect or develop about users stays private, so that that data cannot be linked with a specific, individual user. Information such as social security numbers, purchase histories, addresses, phone numbers or any of a variety of data that they may collect and store due to their interactions with customers must be encrypted to prevent them from misuse in case of a data breach. Failure to do so exposes companies to liabilities and fines, via both lawsuits and regulatory standards such as FTC’s standards for Safeguarding Customer Information or the Healthcare Insurance Portability and Accountability Act (HIPAA).
SOME EXOTIC USE CASES THAT ARE HERE NOW, OR ON THE HORIZON
Security professionals and key managers must always keep an eye on the future as new use cases, new algorithms, new software, and new methods change the number and types of keys that need to be managed and maintained.
Here are some new methods and use cases that are on the horizon and likely to become common over the next decade, if not sooner.
- Zero Knowledge Proof – ZKP algorithms enable the exchange of data without revealing the actual data. The potential use cases are myriad. One of them is the ability to use a password without actually typing in the password. Password entry has always been a potential weak point in data security, with bad actors compromising passwords with methods like keystroke tracking, so for two entities to be able to agree that a valid password is present without actually exposing it to potential compromise is a powerful new use case.
Zero knowledge proofs will also create new possibilities for maintaining privacy. Users who wish to verify a certain level of income to a bank, for example, will be able to do so without sharing the actual details of that income, thereby removing the need to expose the details to compromise in transit, as well as preventing it from being stored and potentially breached at a later date.
- Homomorphic Encryption – Current encryption methods protect data while in motion or at rest, but an important weakness has always been that it must be decrypted in order to view, manipulate, and use the data, and once decrypted it becomes vulnerable to compromise. Homomorphic encryption makes it possible to analyze data while still in its encrypted state. Long considered a “holy grail” of encryption, new advances have made commercial use possible.
One potential use case is privacy in search, as search engines could carry out searches without actually knowing details of the request, thereby preventing them from developing a user profile for advertising. Another potential use case is monetization of data, where organizations who previously could not monetize their data due to privacy concerns may now be able to allow analysis of that data without exposing the data itself.
- Post-quantum algorithms – Computers that use quantum theory rather than bits and bytes are no longer in the realm of fantasy, and the increase in computing power they will bring will make today’s crack-proof encryption algorithms almost trivial to break. State actors are likely to have quantum computing far earlier than the businesses and companies that will need to protect against them, so efforts are underway to develop ever-more complex algorithms that are expected to be a match for the enormous increases in computing power that quantum computers will present. Just this month, NIST released the first four encryption algorithms that it will use for its post-quantum cryptographic standard. Key managers will need to keep abreast of these changes, and the services they use should already be preparing for them as well.
A LOOK AHEAD
The list of use cases for encryption is long and always increasing. Software solutions that address today’s encryption needs without an eye on how the environment will change are destined to either play catch up or leave their users in a bind as they are unable to smoothly adapt their key management processes. Ntrinsic’s groundbreaking approach addresses today’s use cases in ways no other product can, and is constantly being proactively upgraded to account for new use cases and new threats on the horizon.