As any student of cryptography will tell you, encrypting a message – and keeping it encrypted – means smothering it in (at least the appearance of) several layers of randomness. Sounds fascinating, I hear you say, but what’s that got to do with me?
Well, after recent revelations of the extent to which data privacy laws are breached on a daily basis by certain intelligence agencies, the encryption and security of data and communications have suddenly become issues that affect us all. The world’s CIOs, meanwhile, must look on in wry amusement – for them, worrying about security is a way of life.
Talk of data access and information availability makes most CIOs shudder with terror. And as for cloud computing, well a lot of CIOs remain pretty sceptical about it for one main reason – they love security. I mean, they really love security.
If you read analyst reports on CIO priorities, you’d be forgiven for getting the impression that, if CIOs had their way, corporate data wouldn’t just be encrypted, it* would be fitted with self-destruct mechanisms, sealed in a lead-lined vault and tossed into the Mariana Trench from the back of a passing trawler. Of course, in this scenario, data access does become a fairly significant problem…
So if that’s not an option, what are the world’s assorted techno-boffins planning to do about it? A couple of articles have caught my eye recently, as they outline two innovative approaches to data security.
Data stored in the cloud is vulnerable in a number of ways, not least of which is that the physical server your data is accessed on can also host many other virtual machines (VMs). In theory, if hackers can provision VMs of their own on the same physical server as yours they can then analyse memory access patterns on that server to intercept your data – and your encryption key.
This month’s Information Age carries an interview with Professor Srini Devadas at MIT, whose team is working on a technique using ‘oblivious RAM’ to randomise memory access routes; removing the patterns that hackers are searching for, and potentially making the cloud a much safer place for data to live.
Meanwhile, The Economist reports that a team at the Centre for Quantum Technologies in Singapore is developing a new approach to quantum cryptography that could be used to maintain the security of encryption keys even if the physical sending and receiving devices have been subverted by hackers. Similarly to the MIT approach, the basic aim is to remove the patterns in transmitted information that give away encryption keys, while still making the data accessible and intelligible to its intended recipient.
As their method relies on creating, and then ‘entangling’, pairs of photons (at least 15% of which are subsequently lost) and blasting them down optical cables, this technique isn’t quite ready to tackle the immediate challenges of cloud computing, but it’s certainly an interesting development that will find practical applications at the most security-conscious organisations. Like the NSA.
*Yes, my grammar-loving chums, I know ‘data’ is the plural of ‘datum’, but like all sane people I choose to ignore it.