By Sara Castellanos
As threats from hackers and online thieves grow apace, more
companies are seeking refuge in encryption -- the science of
turning messages and data into gibberish for anyone who doesn't
have a key.
Once limited to the most secret of secrets, encryption
increasingly is being used to secure websites, protect confidential
data stored in the cloud and guard credit-card numbers as they
travel over financial networks.
Locking data away with encryption keeps it safe, but it comes
with trade-offs. For one thing, companies can't easily perform
analysis or machine learning on encrypted data. So at a time when
artificial intelligence and real-time data analysis is crucial for
competitive advantage, executives must decide what to encrypt and
for how long. In addition, turning on encryption results in
increased financial costs and performance impacts.
Public and private
Classic encryption techniques use a single key shared by both
the writer and the reader, and that method is still in use today.
In the 1970s, though, mathematicians devised a more sophisticated
method that was made easier with computers, called public key
cryptography. This scheme allows people to exchange encrypted
messages without sharing a secret key first. A combination of both
methods now underlies encryption for communication over the
internet.
Website encryption has become widespread as Google and makers of
other web browsers push sites to adopt encryption-based
security.
When it comes to corporate data, however, encryption is still
"pretty limited," says Avivah Litan, cybersecurity analyst at
Gartner Inc. Only about a third of all sensitive corporate data
stored in cloud-based applications is encrypted, according to a
2016 survey by security company Gemalto Inc. of about 3,500 IT
staff world-wide.
No silver bullet
The reasons for this are varied. Like everything else when it
comes to cybersecurity, encryption isn't a silver bullet. Hackers
can gain access to keys, making encryption worthless. And, before
encrypted data can be searched or analyzed, it has to be decrypted
first, requiring a company's computers to work harder than
usual.
When encryption is on by default, applications could be as much
as 7% slower, which results in increased time and money spent on
processing costs, says Rohan Kumar, corporate vice president of
Azure Data Group, a division of Microsoft Corp.'s cloud
service.
To minimize the effect on time and cost, a company can turn over
the encrypting and decrypting of data to dedicated hardware so that
the core processors can operate at full capacity for other
purposes.
Despite performance impacts, encryption is still turned on by
default in major components of the services offered by Azure,
because so much is at stake for customers.
"Overall, the policy we've taken is that security trumps
everything else, " Mr. Kumar says.
Microsoft and other companies are experimenting with ways to
more efficiently analyze encrypted data and allow AI algorithms to
do their work on it.
New York-based startup Inpher Inc., for example, has developed
technology that enables data to be processed while it remains
encrypted, allowing machine learning and analytics to be run
without ever exposing the data, says co-founder and Chief Executive
Jordan Brandt.
Analyzing encrypted information without revealing any secret
information means that organizations such as financial-services and
health-care companies can share confidential data to gather more
useful insights on larger data sets, Mr. Brandt says.
Optional layer
Some cloud-services providers have developed new encryption
models designed to give business customers more options when it
comes to how their data is encrypted. Box Inc., a cloud content
manager with headquarters in Redwood City, Calif., encrypts all
data with its own encryption keys and gives customers the ability
to encrypt data with their own encryption keys, adding another
layer of security. Both keys are required to decrypt the data.
"We had to find ways to make it so that our customers didn't
necessarily have to fully trust us," says Joel de la Garza,
formerly security officer at Box and now an operating partner at
Andreessen Horowitz, the venture-capital firm based in Menlo Park,
Calif.
Like most cloud-service providers, Box needs to balance demands
for security against ease of use of its products. The company
encrypts all sensitive data, such as financial records or
personally identifiable information like Social Security numbers.
But encrypting all data, such as folder and file names, isn't
practical, says Mr. de la Garza, because the customers want to
search and access that data quickly.
"Cryptography is basically a game of 'How can I provide enough
security without making my users run away screaming in anger?' "
Mr. de la Garza says.
On- and off-network
At St. Louis-based Emerson Electric Co.'s Automation Solutions
division, encryption is also used in communications that flow to
and from critical infrastructure systems, supplied to
manufacturers, which can place a burden on the bandwidth of the
customers. To lessen the impact on the systems of the customer,
encryption is applied based on the risk level of the transmission.
Data that remains on the secure network, for example, isn't
encrypted. Data is encrypted in cases where it traverses the
internet to send control commands and other important information
to geographically distributed facilities.
"You'd encrypt to make sure that the command that's being sent
is the data you want to send," says Peter Zornio, chief technology
officer of Emerson Automation Solutions, the division that supports
critical infrastructure customers.
Ms. Castellanos is a reporter for The Wall Street Journal in New
York. She can be reached at sara.castellanos@wsj.com.
(END) Dow Jones Newswires
May 29, 2018 22:19 ET (02:19 GMT)
Copyright (c) 2018 Dow Jones & Company, Inc.
Box (NYSE:BOX)
Historical Stock Chart
From Apr 2024 to May 2024
Box (NYSE:BOX)
Historical Stock Chart
From May 2023 to May 2024