An upstart group of engineers and security experts has come up with a way to make encryption both secure and searchable.
The group, led by former FireEye founding engineer Ed Yu, has developed the Open Privacy API under a new company called StrongSalt. The Encryption as a Service (EaaS) API allows developers to build data protection into any application or workflow, according to StrongSalt. As a result, organizations would be able to search and share encrypted data in enterprise applications and cloud services without sacrificing privacy.
The protocol allows data to become searchable both online and offline without decrypting it first, and includes a trackable audit trail of all related events. It can be used with all data types, as well as passwords and keys.
There are numerous uses for this type of technology. A retailer that stores protected credit card data, for example, could use it to search for a credit card number without violating PCI Requirement 3.4. On a broader level, an IT professional could use it to determine which files have been stored more than once.
"They have potentially cracked a fundamental issue around encryption, which is how can you make encryption both something that obscures data in a way that's very secure—cryptography part—but at the same time make it usable and searchable," said John Kindervag, field CTO for Palo Alto Networks and former Forrester security analyst. Kindervag is on StrongSalt's board.
By making encrypted data searchable without violating the principles of privacy or encryption, StrongSalt may have solved a very big computational problem. Kindervag speculates that Yu's approach to the problem was a big driver.
"A lot of people in the industry looked at it purely from a cryptographic algorithmic perspective, but Ed looked at it from a programmatic perspective," he said. "He looked at it through a different lens without biases about what could or couldn't be done, and he was willing to take risks and explore."
While the "secret sauce" remains a secret, it's fair to say that Yu's team employed a host of technologies, including blockchain. As Kindervag puts it, "Ed is using all available technologies that exist plus inventing a few things."
Kindervag says the team is being courageous, and that's what's needed.
"The future belongs to the courageous, the people who are willing to take a risk and try something that other people haven't tried or try something that other people have said could never be done," he said.