Preserving Privacy With New Technologies

Ulf Mattsson
Author: Ulf Mattsson, MSE
Date Published: 9 June 2021

New technologies for data protection can arm innovative enterprises to win in an ever-changing, increasingly competitive digital economy.

Responsible Artificial Intelligence
Responsible enterprises believe their customers and employees have a right to privacy—they value those relationships, after all. Unfortunately, success in safeguarding privacy, now and in the future, will not be guaranteed by a desire to do so. The myriad regulations already enacted, compounded by the many others that are sure to come, only stress the need for enterprises to protect the privacy of anyone and everyone whose personally identifiable information (PII) resides in their data. It is a big undertaking, and many enterprises need to preserve privacy in analytics and sharing with third parties.

New techniques for data protection empower enterprises to activate and extract value from sensitive data and engenders trust by ensuring the privacy of customers and employees is always preserved. Enterprises need to cohesively safeguard privacy across their organizations, wherever it resides and however it is accessed. This allows enterprises to use sensitive data to fuel advanced analytics, machine learning (ML) and artificial intelligence (AI)—even as those initiatives migrate to cloud environments.

Cloud-Based Data
Data must move without hindrance through an enterprise’s many cloud-based databases and applications. Enterprises need the cloud to place workloads in development containers and to tap AI and reinvent how they make decisions. The types of data that are most critical in driving innovation—with advanced analytics, ML and AI—are those deemed most sensitive and must be safeguarded.

Naturally, sensitive data chronicles how customers and employees engage, and once harnessed, reveal insights and outcomes that are game-changers for enterprises. Such intelligence, once harnessed, optimizes experiences in real time while creating a blueprint for rapid growth. Privacy and innovation go together. You cannot have one without the other, and neither is optional anymore.

New Techniques for Data Protection
New techniques for data protection create opportunities to harness the sensitive data that is proven to be most effective in activating advanced analytics, ML and AI. New techniques for data protection in AI need to keep pace with the exponential increase in sensitive data, data storage systems and tools that surface insights and enable predictive analytics to quickly extract value, apply insights in real time and predict outcomes that accelerate growth.

Homomorphic encryption, which allows computations on encrypted data and ML, is growing in popularity. New homomorphic encryption algorithms can secure data against quantum computer-based attacks and ML algorithms can be optimized for quantum computers.

Quantum Machine Learning
Quantum ML is a huge area of discussion, research, development and experimenting. We are beginning to see more quantum algorithms, which are the tapestry for the future of ML programs. ML can enable predictive analytics and enterprises can quickly extract value, apply insights in real time and predict outcomes that accelerate growth.

Trusted Execution Environments
Enterprises can shield ML models and data in trusted execution environments (TEE) to complement data protection used outside TEE. With ML models and data in TEE and the confidence that sensitive data is protected, enterprises can quickly extract value, apply insights in real time and predict outcomes that accelerate growth. Operating on clear text information inside a TEE can also increase the speed compared to operating on homomorphically encryption data and provide scalability that is close to what is expected in a cloud environment.

Quantum Computing and Asymmetric Cryptography
One of the biggest challenges surrounding digital technology is securing systems and data. For decades, computer scientists have developed increasingly sophisticated algorithms designed to encrypt data and protect it through frameworks such as public-key cryptography (PKE), which is also known as asymmetric cryptography. These frameworks function relatively well, and billions of transactions and interactions use these algorithms every day.

As quantum computers advance and become more mainstream, they introduce a level of computing power that changes the stakes. Although there are many potential benefits, a major disadvantage is the ability to crack today’s PKE, including widely used Rivest–Shamir–Adleman (RSA) and Diffie-Hellman frameworks. This would impact everything from routers and virtual private networks (VPNs) to the ability to verify digital signatures.

More Advanced Cryptography
In 2016, the US National Security Agency (NSA) issued an alert, recommending organizations begin looking at ways to switch to more advanced cryptography. A year later, the US National Institute of Standards and Technology (NIST) began soliciting new and more advanced algorithms that could withstand cracking by quantum computers and become a standard.

Quantum computers lack the processing power to succeed in a brute force assault on classical cryptography algorithms. However, within a few years, once these machines hit a threshold of approximately 10 million physical qubits, they will possess this power. The risk is palpable for enterprises, universities and governments. If quantum computers crack PKE algorithms, more than devices would be affected. It could expose historical data residing inside organizations.

New Lattice-Based Algorithms
Consequently, mathematicians and computer scientists are developing new and far more advanced cryptographic algorithms that use both classical and lattice-based frameworks. The former relies on non-compact code; the latter uses mathematical formulas or proofs to ensure the integrity of the algorithm. In fact, lattice-based algorithms are part of a broader move toward formal (verified) software.

At present, NIST has narrowed the number of next-generation algorithms to 15. The group of researchers and computer scientists involved with the project continue to test, refine and update the algorithms to balance speed and security requirements. Within the next year or two, NIST is expected to finalize new standards. This will not encompass all quantum-resistant algorithms in the future—others may develop algorithms outside the standard—but it is safe to say that this set of algorithms will be widely used.

Symmetric-Key Cryptography
For now, enterprises can prepare for this next phase of cryptography by staying tuned to the NIST initiative and keeping an eye on breaking news in the field. It is not too early to begin assessing systems and devices and considering when and where quantum-proof algorithms make sense. In many cases, organizations will need to update certificate management frameworks, devices and software to support new algorithms. It is also a good idea to upgrade older systems to 256-bit keys in order to maximize data protection.

Fortunately, symmetric-key cryptography (which relies on private keys) is not as susceptible to being cracked by quantum computing, and it is not considered at risk for now. Of course, it is impossible to rely on symmetric crypto to handle many of the interactions and transactions that take place in today’s computing environment. So, once quantum-safe algorithms appear, it is wise to migrate to them as soon as possible.

Editor’s note: For further insights on this topic, read Ulf Mattsson’s recent Journal article, “Privacy-Preserving Analytics and Secure Multiparty Computation,” ISACA Journal, volume 2, 2021.

ISACA Journal