Widespread use of cloud services, the rising number of integrated solutions and the collaboration between organizations increase the concerns over data privacy and security. Today, we know that many data protection regulations (e.g., FIPS, GDPR, CCPA) require data to be encrypted while it is at rest and in motion. Even though we are not yet able to encrypt the data in all its states, fully homomorphic encryption (FHE) performs encryption while the data is in use state and might become one of the holy grails of encryption methods available. While it is one of the technologies available in the privacy-enhancing technologies (PET) market, FHE offers an encryption technology which allows organizations to remain protected from cybersecurity threats by enabling computations on encrypted data without decrypting it.
The state of data denotes the different modes where computing systems are using the data. In this principle, data can be in one of three states. These are data at rest, data in motion, and data in use. Although most encryption methods deal with data at rest and data in transit, homomorphic encryption (HE), as an umbrella term, aims to allow making computations on encrypted data in use while it is being processed, analyzed, or manipulated without first decrypting it with a key. KuppingerCole Analysts predicts that HE technologies pave the way for keeping the data encrypted not only in the data in use state but also throughout the whole data lifecycle.
There are three types of HE. In general, the difference between them stems from the types and frequency of mathematical operations that they can perform on the ciphertext.
1. Partially Homomorphic Encryption (PHE): PHE algorithms only allow an infinite number of certain types of mathematical operations (e.g., only addition or multiplication) to be performed on encrypted data without decrypting it.
2. Somewhat Homomorphic Encryption (SHE): Despite being a step up from PHE, SHE algorithms only allow a finite number of any kind of operation rather than an infinite number of a particular operation.
3. Fully Homomorphic Encryption (FHE): FHE algorithms allow all mathematical operations available to be performed unlimited times and up to high level of complexity without decrypting the data. That is why encryption experts consider it as the holy grail of homomorphic encryption.
1.) The owner of the data wants another party to perform mathematical operations on certain data. The owner also wants to protect the sensitive data in it without revealing it to the other party.
2.) The owner encrypts the data with a public key and sends it to the other party.
3.) The other party receives the encrypted data, performs the necessary operations on it, and sends the encrypted results to the owner. At this stage, FHE eliminates the need for decryption of the data before making operations and while sending the results.
4.) The owner of the data receives the results and decrypts the data with a private key. The owner manages to get results without revealing any data to the other parties.
Mitigating Sensitive Data Privacy Risk:
FHE allows organizations to collaborate with each other in a safer environment. By making computations on encrypted data possible, FHE prevents organizations from revealing their sensitive data, such as PCI, PHI, and PII and the results of those computations to the other parties. Also, securing data in untrusted environments, such as public clouds and external parties, strengthens organizations’ cyber resilience. KuppingerCole Analysts predict that FHE can contribute to Zero-Trust approach once the limitations of FHE are overcome.
Secure Use of Cloud:
By providing additional security measures, FHE can help organizations leverage their cloud use. FHE technologies can already perform computations on encrypted data among integrated cloud services.
Complying with Regulations:
Organizations are expected to comply with international and/or regional data protection regulations. Today, many of those regulations, such as GDPR, require organizations to encrypt their sensitive data. By taking existing encryption methods to a next level, FHE can be a strategic cybersecurity investment for the future.
Supply Chain Security:
Outsourced service providers, 3rd parties, such as contractors and vendors, might have access to organizations’ sensitive data in order to do their jobs. Today’s threat landscape demonstrates how attackers target insecure supply chains among the organizations. By reducing the risk of revealing sensitive data to other parties and enabling those parties to make computations over encrypted data, FHE helps organizations reduce their supply chain risks.
Existing encryption methods lack capabilities against quantum attacks. However, some companies already offer FHE solutions that are quantum-safe. Organizations which suffer from quantum attacks can consider adopting those solutions as an alternative method to increase their cyber resilience.
Slow computation speed, accuracy problems while operating, and remarkably high storage requirements are known issues for organizations which rely on compute-intensive applications. Researchers believe that FHE has still some years to overcome performance related challenges.
Still an Emerging Technology:
HE’s roots date back to the 70s, yet FHE is a relatively new encryption method. Considering the fact that FHE, in its current form, yielded its first successful results in 2009, we might still have to wait some years to see more effective FHE schemes and solutions. Today’s FHE solutions give the best results when used with supporting solutions and best practices. While vendors are developing their
FHE solutions, there are scientists and engineers working on specific FHE projects and also some universities which are currently researching and developing FHE algorithms.
Narrow Market Size:
As of today, there are limited number of vendors in FHE market. This makes finding and choosing a vendor difficult. Nevertheless, companies like IBM launched experimental FHE services in late 2020.
FHE has already been used by various organizations for different purposes. Social media companies can benefit from it for private data analytics. Governmental organizations can deploy it during the electronic voting process. Organizations like e-commerce companies, hospitals, banks, and other financial institutions in which personal, health, and financial data is stored, used, and shared with 3rd parties can also secure themselves from data breaches and increase their cyber resilience with FHE. Cybersecurity experts state that FHE already provides an effective workload protection in financial institutions against fraud intelligence.
Since FHE has not yet reached its potential capabilities, organizations might also look for alternative solutions in encryption and PET market. Data Masking, Zero-Knowledge Proofs (ZKP), and Secure Multi-Party Computation (SMPC) could be alternative solutions for organizations depending on their needs and requirements. Recently, many experts compared FHE with Functional Encryption (FE) which is also an encryption technology that is in the preliminary stages of development.
Clarify Your Needs and Requirements: When considering any solution, organizations should first determine their requirements. Consider the limitations of FHE solutions and look for alternative solutions if needed. A SWOT analysis might be helpful to create at this stage.
Analyze the FHE Market: Understand each solution’s strengths and weaknesses. Since FHE is an emerging solution, try to find out what further developments that vendors are planning.
Conduct a PoC: Determine the best use case scenarios for your organization, create a well-defined checklist and ask initially selected vendors to prepare a PoC.
Choose a Vendor: Make sure that the vendor you select demonstrates the desired capabilities during the PoC. Finally, choose the vendor that best meets your requirements and has the fewest limitations for your organization.
This year, we are celebrating European Identity and Cloud Conference’s 15th anniversary. We will be hosting more than 200 speakers and covering a vast range of identity and cybersecurity topics. If you want to learn more about FHE and dig down deep with other cybersecurity experts, EIC 2022 is where you should be this May.
Join the full track of “Cyber Resilience” sessions by Matthias Reinwarth (KuppingerCole Analysts) and Dr. Phillip Messerschmidt (KuppingerCole Analysts)
Understand why Zero-Trust is so important in Nick Nikols’s (CyberRes) “Promoting Cyber Resilience through Identity and Zero Trust” and Fabrizio di Carlo’s (Scoutbee) “Dissecting Zero Trust, a real life example” sessions.
Dr. Phillip Messerschmidt (KuppingerCole Analysts), Kumar Ritesh (CYFIRMA) and Dirk Wahlefeld (CYFIRMA) will deep dive into “The Changing Cyber Threat Landscape” in two consecutive sessions.
Please see our webpage to see our full agenda.
Register here to learn more about Fully Homomorphic Encryption, discuss your cybersecurity measures and roadmap with vendors, industry thought leaders, and the KuppingerCole analysts at EIC 2022 on May 10-13, 2022, in Berlin, Germany & Online