Encryption-in-Use (Part 2): Vaultive’s Approach
“In Encryption-in-Use: Challenges and Realities, I discussed why encryption-in-use as a security technology is critical to meeting the governance requirements for cloud data ownership and control. I also wrote about the technical challenges, and the need to engineer a delicate balance of the customer’s requirements for service functionality and data ownership and control in the context of a specific application. In this post, I will address how Vaultive has approached the challenge of encryption-in-use.
Vaultive’s Approach to Encryption-in-Use
The Vaultive platform is the product of several years of dedicated research and development by cryptographers and information security specialists. Vaultive’s encryption is applied prior to the data transmission over WAN and protects across the data’s lifecycle: in transit, at rest and in use. The encryption scheme is implemented at the field level, and employs cryptographically generated metadata to maintain content characteristics necessary for server-side operations. Unlike other approaches, Vaultive does not use deterministic word-level encryption in order to preserve server-side functionality. If encrypted multiple times, a given value will never appear as the same encrypted string.
Although the proxy is software-based and can run on standard hardware or as a virtualized image, Vaultive devised ways of minimizing the actual amount of direct processing required at the proxy, so as to limit the network overhead introduced and minimize the impact on latency.
From an encryption perspective, the Vaultive approach builds on a series of practical steps. Vaultive leverages existing cryptographic tools to support common server-side operations that are critical to service functionality. The design principle here is to expose the minimal amount of information required to support operations per field and encode data into a compatible textual format that does not interfere with the cloud service’s presentation layer conventions. This means that while the data is served from the cloud service, if the user is not accessing it through the proxy, the data appears as a ciphertext string.
Vaultive delivers a platform to address cloud computing’s pivotal governance and security requirement for encryption of data in use. Vaultive employs a set of tested and industry-standard cryptography tools to ensure that the encoding is non-reversible and is impervious to dictionary-based or chosen-plaintext attacks. Decryption is tied to the association between an entity and the encryption key. And, since the keys reside on the appliance, the data owner maintains control of the keys.
Does Vaultive provide third-party validation of its encryption scheme?
Vaultive has worked with world-leading cryptographers on ensuring the resiliency of the encryption scheme. Vaultive recommends customers engage with a firm with expertise in validating encryption schemes and evaluating the encryption strength.