A New Approach to Privacy-Preserving Encryption

For years, I’d always assumed that privacy-preserving encryption was equivalent to homomorphic encryption. You will recall that with homomorphic encryption, arithmetic can be done on encrypted data to produce the same value as would emerge for addition of the cleartext. This method has received so much investment that it’s not hard to conclude that it’s required for encryption privacy.

And this is why it was so fascinating to connect recently with cybersecurity start-up Portal26. They took the time to patiently explain their technology to our TAG Cyber team. And it eventually became clear to us that Portal26 had created a new approach, one that looks to be a good strategy for deploying privacy-preserving cryptography without the need for homomorphic solutions.

The Portal26 method works by tightly integrating with the construction of internal indexes in Big Data environments. One major use-case (not the only one) utilizes Big Data search platforms such as Elasticsearch to create from the plaintext a so-called reverse index. This process relies on the analyst knowing which type of queries will be required post-encryption, but in most environments, this is well known.

Anyway, traditional encryption algorithms, including AES, AES FF1, SHA2-256, SHA2-512, HMAC SHA2-256, HMAC SHA2-512, and KDF SP800-108, can be applied separately to the private data and to the index. This provides an encryption-in-use capability that will allow for the desired search and related query analytics on the index without exposing private data to the processing agent.

This has wonderful implications in practice, from our perspective. First, while homomorphic encryption is good math, we’ve seen some organizations struggle with performance and latency issues in commercial implementations. This might help explain why homomorphic solutions have been slower out of the gate than we’d originally expected.

A second advantage of the encryption-in-use solution from Portal26 is that it offers not only privacy preservation, but also protection from many types of data breach. Ransomware, for example, often involves not only extortion, but data exposure. By utilizing a privacy preserving tool such as this, organizations reduce their ransomware risk in a meaningful way.

This, by the way, is a good example of where security and privacy teams should be coordinating more. The need to preserve the privacy of data during analysis is cited in frameworks ranging from NIST CSF to the GDPR. It seems inefficient that teams tend to address these requirements separately. This platform looks like a decent means for helping to bridge that compliance gap.

I hope you’ll keep in mind, of course, that in this short blog, I cannot get through all the details of what the Portal26 solution does. In addition to the search use-case, their platform can be used to power a wide range of excellent cybersecurity products including a vault, API, proxy, and plug-in solution. So, you’ll have to connect with them directly to get the full solution story.

To that end, I’d strongly recommend that you spend some time educating yourself on this important privacy and security technology. The team at Portal26 is well-positioned to help you. I’d recommend that you give them a call and ask for a demo of their platform. Our TAG Cyber team did – and the time was well spent.