BOX Box Inc

By Sara Castellanos 

As threats from hackers and online thieves grow apace, more companies are seeking refuge in encryption -- the science of turning messages and data into gibberish for anyone who doesn't have a key.

Once limited to the most secret of secrets, encryption increasingly is being used to secure websites, protect confidential data stored in the cloud and guard credit-card numbers as they travel over financial networks.

Locking data away with encryption keeps it safe, but it comes with trade-offs. For one thing, companies can't easily perform analysis or machine learning on encrypted data. So at a time when artificial intelligence and real-time data analysis is crucial for competitive advantage, executives must decide what to encrypt and for how long. In addition, turning on encryption results in increased financial costs and performance impacts.

Public and private

Classic encryption techniques use a single key shared by both the writer and the reader, and that method is still in use today. In the 1970s, though, mathematicians devised a more sophisticated method that was made easier with computers, called public key cryptography. This scheme allows people to exchange encrypted messages without sharing a secret key first. A combination of both methods now underlies encryption for communication over the internet.

Website encryption has become widespread as Google and makers of other web browsers push sites to adopt encryption-based security.

When it comes to corporate data, however, encryption is still "pretty limited," says Avivah Litan, cybersecurity analyst at Gartner Inc. Only about a third of all sensitive corporate data stored in cloud-based applications is encrypted, according to a 2016 survey by security company Gemalto Inc. of about 3,500 IT staff world-wide.

No silver bullet

The reasons for this are varied. Like everything else when it comes to cybersecurity, encryption isn't a silver bullet. Hackers can gain access to keys, making encryption worthless. And, before encrypted data can be searched or analyzed, it has to be decrypted first, requiring a company's computers to work harder than usual.

When encryption is on by default, applications could be as much as 7% slower, which results in increased time and money spent on processing costs, says Rohan Kumar, corporate vice president of Azure Data Group, a division of Microsoft Corp.'s cloud service.

To minimize the effect on time and cost, a company can turn over the encrypting and decrypting of data to dedicated hardware so that the core processors can operate at full capacity for other purposes.

Despite performance impacts, encryption is still turned on by default in major components of the services offered by Azure, because so much is at stake for customers.

"Overall, the policy we've taken is that security trumps everything else, " Mr. Kumar says.

Microsoft and other companies are experimenting with ways to more efficiently analyze encrypted data and allow AI algorithms to do their work on it.

New York-based startup Inpher Inc., for example, has developed technology that enables data to be processed while it remains encrypted, allowing machine learning and analytics to be run without ever exposing the data, says co-founder and Chief Executive Jordan Brandt.

Analyzing encrypted information without revealing any secret information means that organizations such as financial-services and health-care companies can share confidential data to gather more useful insights on larger data sets, Mr. Brandt says.

Optional layer

Some cloud-services providers have developed new encryption models designed to give business customers more options when it comes to how their data is encrypted. Box Inc., a cloud content manager with headquarters in Redwood City, Calif., encrypts all data with its own encryption keys and gives customers the ability to encrypt data with their own encryption keys, adding another layer of security. Both keys are required to decrypt the data.

"We had to find ways to make it so that our customers didn't necessarily have to fully trust us," says Joel de la Garza, formerly security officer at Box and now an operating partner at Andreessen Horowitz, the venture-capital firm based in Menlo Park, Calif.

Like most cloud-service providers, Box needs to balance demands for security against ease of use of its products. The company encrypts all sensitive data, such as financial records or personally identifiable information like Social Security numbers. But encrypting all data, such as folder and file names, isn't practical, says Mr. de la Garza, because the customers want to search and access that data quickly.

"Cryptography is basically a game of 'How can I provide enough security without making my users run away screaming in anger?' " Mr. de la Garza says.

On- and off-network

At St. Louis-based Emerson Electric Co.'s Automation Solutions division, encryption is also used in communications that flow to and from critical infrastructure systems, supplied to manufacturers, which can place a burden on the bandwidth of the customers. To lessen the impact on the systems of the customer, encryption is applied based on the risk level of the transmission. Data that remains on the secure network, for example, isn't encrypted. Data is encrypted in cases where it traverses the internet to send control commands and other important information to geographically distributed facilities.

"You'd encrypt to make sure that the command that's being sent is the data you want to send," says Peter Zornio, chief technology officer of Emerson Automation Solutions, the division that supports critical infrastructure customers.

Ms. Castellanos is a reporter for The Wall Street Journal in New York. She can be reached at sara.castellanos@wsj.com.

(END) Dow Jones Newswires

May 29, 2018 22:19 ET (02:19 GMT)

Copyright (c) 2018 Dow Jones & Company, Inc.