End-to-end encryption has surged in popularity in recent years with internet messaging services ranging from Signal to WhatsApp to Wickr supporting the technique. “Lots of things encrypt, but the idea of end-to-end encryption is that only the ends can encrypt and decrypt. Nothing in the middle can see anything,” said Randy Battat, CEO of PreVeil, a new startup dedicated to spreading easy-to-use end-to-end encryption in the enterprise. The company’s current roster of companies includes aerospace firms and defense contractors. For now, the core functionality built into the software is encrypted email and file sharing.
While end-to-end encryption offers considerable advantages in protecting the confidentiality of data, traditionally it has been difficult to use the technique in the enterprise for a handful of reasons.
Two of those reasons are security and usability. Some applications purporting to offer end-to-end encryption define the term loosely. For instance, a Washington Post article describing the email service Virtru noted that the software “will shield your emails from hackers and the FBI, but not from your boss.” Other end-to-end encryption apps essentially lock out users who are unfortunate enough to lose an electronic device because the private keys necessary to decrypt messages reside on the device.
PreVeil gets around that latter problem through the use of what it calls “approval groups.” If a user loses, say, a laptop with the software installed, a group of trusted individuals can come together to reconstruct it. On the company’s website, it compares the strategy to cutting a house key into pieces and giving a different piece to distinct neighbors. None of the users can use the fragment to enter the house, but the neighbors could forge a new key with all of the fragments.
[IoT Security Summit is the conference where you learn to secure the full IoT stack, from cloud to the edge to hardware. Get your ticket now.]
Some companies try to make life easier for those who have lost a device by storing a copy of the private key on a server. “But that’s not end-to-end encryption,” said Raluca Ada Popa, chief technology officer of the company. “An attacker could break into the server, get the key and get your data. Other companies say: ‘Well, if you lose your key, you’re done. You can’t get it back.’”
Another common vulnerability for many enterprise companies is the amount of control wielded by administrators, who themselves become targets for cyberattackers. This was the case in a Deloitte breach last year where a hacker gained access to the company’s global email server via an admin account. Battat points to Edward Snowden’s ability to retrieve vast quantities of sensitive government information as another example of this security weakness.
“Our approach is to distribute trust,” Battat said.
Another part of PreVeil’s strategy is to keep logs of user activities. “Logs are important in a business. You want to keep track of who came and went and you know it you might want to see if somebody snooping and so forth,” Battat explained. “PreVeil, logs everything, but because we’re doing encryption, we encrypt the logs and we make the logs tamper-proof. You don’t want a bad guy to be able to remove a log entry to cover their tracks. We are using similar principles to the way the blockchain works. You can’t, in PreVeil, delete a log entry.”
The technology is currently in a beta release stage and plans to shift into full commercial mode later this year, debuting new product features as well.
When asked about the scope of IoT applications, Battat said its core encryption principles will eventually be available for licensed use. “Sometime a little further downstream, we’ll offer software development kits that will let you use these techniques for lots of other applications,” Battat said.
The technology could have a spectrum of business applications. “For example, one of our customers is a major manufacturer of elevators. Some of their elevators are in some pretty sensitive places, and those elevators collect a lot of data,” Battat said. “If those elevators were in sensitive buildings, a bad guy might be able to detect things that were going on just looking at the elevator data.”
When asked about the possible threat of quantum computing weakening many forms of encryption, Popa said that it is simple to change the algorithm the firm uses. “When we think it is time, we can just swap it out,” she said.