Private data can be protected when it's at rest. It can be protected when it's in transit. But what about when it's being accessed by applications?
Run-time encryption is a solution to this problem, and it's the latest technology to emerge in cloud-based security. Essentially, it is aimed at protecting applications and data during use and computation. The clever part of this is that it allows general computation tasks to be executed on encrypted data.
At the moment, such tasks end with the data being decrypted and it is at that moment that hackers can swoop in and exploit this as a weakness that offers up control over free private data. "Without run-time encryption, once the hacker gets inside, the game is over," Ambuj Kumar, CEO and co-founder of Fortanix, told SecurityNow, "They take control of the data immediately, and can either analyze it there and then or send it to a remote server for analysis."
In short, the data then belongs to them and can't be accessed any more by the host target. The answer of course is not to make sensitive data available to any untrusted operating systems, root users, cloud providers or insiders in the first place.
"We set out to create a means to protect applications directly, regardless of the trustworthiness of the computing infrastructure," said Kumar. Welcome to an era of securing data-in-use. Kumar -- previously chief architect at Cryptography Research and Anand Kashyap, CTO and co-founder, formerly an engineer at Symantec and VMWare -- spotted this weakness, and in 2016, and the company was born.
Fortanix exemplifies the new security paradigm of accepting that at some point, systems will be hacked: it's no longer good enough to try and hold the perimeter. It's a case of not if, but when. As hackers break into a server, they may have penetrated security to get there, but the data with run-time encryption is still scrambled and therefore unreadable. It's a technology which natrually comes into its own when it provides the security for applications which are in the cloud.
Kumar believes the run-time encryption concept could apply to many other systems and applications where this functionality would be a plus. Currently, Fortanix leads with a product it launched last week called SDKMS (Self-Defending Key Management Service), which is its application of run-time encryption that the firm holds pending patents to. Kumar says it has emerged from beta and is now under limited GA since his company is still developing the sales resources to serve the apparent demand. SDKMS is a key management service, based in the cloud, which the company claims is the first one to be Intel SGX-based, offering data enclaves, the protected areas of execution in memory.
"Our key market is the financial properties because they have important data to protect, and they can afford new systems," jokes Kumar. Included too is the government sector, because it holds state secrets but importantly is the target for the most advanced hackers.
Fortanix has to date taken two rounds of funding, one a seed round from an undisclosed source, the other -- closed in early June -- a series A round for $8 million from Foundation Capital and NeoTribe Ventures. Fortanix' first two publicly announced customers are Lending Club and IBM.
It's a brand-new technology, so was it hard to convey the technical aspects to potential investors? What was the VC community's reaction to Fortanix?
"Initially, no one understood," said Kumar. "Many folks in the VC community claim to find funding for technologies with new angles. Most of them understand the money, but not technology."
- Encryption: 6 Ways to Make It Matter
- IoT Security Needs Creative Solutions
- Amazon S3 Errors Hit Home Again
— Simon Marshall, Technology Journalist, special to Security Now