In all information security problems, we consider “Security at Data Level” involving “Encryption” as a very important tool.
When data is at rest, it is possible to store it in encrypted form so that even if access is compromised, the intruder cannot make use of the data. If the encryption is strong enough, the data can be practically considered immune to any adverse impact. Laws such as HIPAA as well as other laws, consider loss of encrypted data as not contributing to data breach.
Similarly, when data is under transmission, it is encrypted so that any evesdropper would be prevented from taking advantage of the interception.
“Encryption” is essentially a mathematical operation that works on “Data” which is a “Number expressed in Binary” and processes it as a variable in an encryption algorithm to produce a new number which is the encrypted data stream. The “Decryption” is a reverse mathematical operation that generates the original binary stream that can be read back as the original data.
Though “Symmetric Encryption” which uses the same key for encryption and decryption is used in most instances asymmetric encryption using different encryption and decryption keys is preferred in some applications. In this system there is no need to transmit the encryption key to the intended person to whom an encrypted message is sent and it avoids the risk of compromise in the transmission of keys. This system can also be used for encrypting data at rest as well and is considered the legally approved method for electronic signature system in India.
If the encryption algorithm is strong and there is a good key management system to prevent compromise of the keys and avoid locking out of the data through loss of keys, the two key system is a good solution to many of the security problems. Since the resource utilization could create some usability issues, in some instances a combination of symmetric and asymmetric encryption may be used.
However, the Data Processors who are concerned about “Privacy” have often wondered how to cover the risk of data breach while the data is “Under Processing”. Since hackers often get into the network of the data processors and many data breaches occur with the involvement of the employees themselves, the breach of data during its unencrypted state during processing phase has been a matter of concern to data security professionals.
With the increasing use of cloud storage and processing over the cloud, the risk of unencrypted data being handed over to the cloud operator was always a concern.
It appears that technology has now been developing to solve this difficulty in the form of “Homomorphic Encryption”.
Homomorphic encryption is a form of encryption that allow specific types of computation to be executed on cipher texts and obtain an encrypted result that is also in cipher text form but matches the results of the computation of the plain text and its encryption.
The detailed technology needs to be discussed separately. But the possibility of processing of encrypted information without decryption will be extremely interesting from the data protection view point.
At the same time attackers may use the same technology to corrupt the encrypted data as well and we need to develop security against attacks through homomorphic encryption used as a hacker’s tool.
More views are welcome.