Personal identity information (PII) management is made easier in the cloud. However, as everyone from users to multinational corporations standardize its usage, PII is more vulnerable than ever. Stopping the collection of PII by corporations and organizations is not an option, though many would like it to be. The data is just too important to commerce worldwide. Managing it internally is complicated by the lack of competent personnel, limitations on budget, and just not knowing what the first step to take should be. Dealing with that vulnerability is complicated and obtuse as “solutions” abound, but it can be broken down into two levels: personal and corporate.
Some corporations are considering macro options involving quantum computing, artificial intelligence (AI), and blockchain technologies. Early in 2022, Alphabet and Honeywell spun off divisions in these areas as separate companies: Quantiniuum on the Honeywell side and SandboxAQ from Alphabet.
Sandbox AQ is currently building products and seeking funding beyond Alphabet in the process, but their focus is using quantum computing to secure virtual private networks (VPN), software development kits (SDK), and software-defined wide area networks (SD-WAN). Of the three SD-WAN is closer to reality with Vodafone Business, Softbank Mobile, and Mt. Sinai Health System as a few of their public active customers.
Preparing for the quantum future
Closer to reality is Quantiniuum which was formed through a merger of Honeywell’s quantum hardware division and Cambridge Quantum, an independent quantum computing company, based in Cambridge, England. According to Duncan Jones, the company’s head of cybersecurity, the new company merges Honewell’s quantum computing hardware with the Cambridge companies software and is solely focused on producing secure cryptographic encryption that cannot be broken.
That’s a very big deal. Hostile nation-states are close to creating a quantum computer that can break AES 256-bit encryption, the strongest encryption standard commercially available today. According to Taher Elgamal, Chief Technology Officer of Security at Salesforce since 2013 and an advisor to Sandbox AQ, that level of encryption is still safe because no one has created a quantum computer strong enough to break it. In fact, the previous level of encryption, AES 128-bit, has yet to be broken. That doesn’t mean, however, that it is safe.
“If you record encrypted communications and just sit on it for a while until the quantum computer arrives, you can actually decrypt it and find out what was said 10 or 15 years ago,” Elgamal said. “A 15-year-old credit card number is not important, but health information and intellectual property is very valuable. So there’s a move in the industry to try to get prepared for the arrival of this before it actually arrives.”
The work being done by Quantiniuum, which does not compete at all with SandboxAQ Elgamal stated, is extremely important to prepare for that day when that hardware exists. The fact that someone is creating a cyber defense against a future cyber threat is unique and comforting.
“Having a cyber defense against a future cyber threat is unique and comforting.”
Jones said his company is not just focused on quantum encryption, but can now use quantum computers to produce 128- and 256-bit keys today. “We’ve been able to isolate quantum behavior that we want to measure, and use it to create cryptographic keys,” he claimed.
Blockchain technology is the focus of Ironweave from startup Upheaval. Rather than focus on encryption, the company relies on obscuring PII by breaking it up in in parallel chains so the data is only available in part to those with access to the chain. Then you have Anonybit, a startup that does something similar, but without blockchain, by decentralizing biometric data into anonymous bits (hence the name of the company).
All these technologies protect data stored (at rest) or in transit, but they may not be the best protection for data when it is use. That’s where companies, like Anjuna, come into play. Steven Van Lare, vice president of engineering, says their technology solves that problem by creating data enclaves, usually reserved for private cloud systems, and applies it to public cloud systems. Van Lare says financial institutions, in particular, have been leery of adopting public cloud structures specifically because their data is constantly in use. “Anjuna sets up a barrier between the infrastructure and the applications using the data allowing access only to authorized users.”
Power to the user
All the above place the responsibility on the repositories of PII in corporate databases, completely without participation of the user. Privacy laws in the United States and the European Union, however, give users the right to require companies to secure PII or eliminate it altogether. That brings an entirely different wrinkle to the problem, because failing to do so can result in lawsuits, heavy fines and criminal prosecution in most jurisdictions. Luckily there are solutions for that as well.
On the very personal level, there is DeleteMe. This service, available for about $130 a year, will search through every company that has collected personal information about you and request they delete that information from their servers. This comes in handy when talking about the EU’s GDPR and California’s CCPA, both of which require users to contact companies directly to remove information, regardless of whether the user approved the collection. The service is particularly focused on schools and universities to protect not only students by faculty and staff.
While that saves time for the user, making sure a company actually deletes that information is more difficult. Donnelly Financial Solutions, Inc. (DFIN) resolves that problem by searching through all systems and devices within a network and deleting specific records as needed.
Human Error Trumps Security
In the end, however, human error always trumps security technology. In any corporate network that allows employees to use their own devices, the potential for introducing malware is high. Work-from-home makes the potential even worse. Good Access, located in the Czech Republic (Chechia) provides a Cloud VPN service that will mask the network from unauthorized users. According to the vice president of marketing, Artur Kane, “We lower the risk in terms of narrowing the security or the size of the entire environment where actors can carry out their operations.”
While none of the above is a perfect solution, the name of the game is making data breaches more difficult because the hackers prefer the path of least resistance.
This interview has been taken from our second special magazine issue. You can find – and download – our special issues here.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.