Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Digital Anarchy: Abolishing State
Mar 23rd 2023 6:32am, by Tim Banks
A Is for OpenStack Antelope
Mar 22nd 2023 7:41am, by Steven J. Vaughan-Nichols
Grab a Snapshot of Your Container Image with Checkpoint
Mar 11th 2023 6:00am, by Jack Wallen
How to Identify Your Wasteful Processes
Mar 6th 2023 7:00am, by Sean Scott
5 Things to Consider When Building a Kubernetes Platform
Mar 2nd 2023 10:00am, by Ram Iyengar
Check for Container Image Vulnerabilities with Trivy
Mar 18th 2023 6:00am, by Jack Wallen
Grab a Snapshot of Your Container Image with Checkpoint
Mar 11th 2023 6:00am, by Jack Wallen
How to Work with Containers in TrueNAS
Mar 4th 2023 6:00am, by Jack Wallen
From a Fan: On the Ascendance of PostgreSQL
Mar 3rd 2023 7:12am, by Josh Long
Analyst Report: What CTOs Must Know about Kubernetes and Containers 
Feb 28th 2023 6:14am, by Jess Lulka
Rich Harris Talks SvelteKit and What’s Next for Svelte
Mar 20th 2023 3:00am, by Loraine Lawson
The Distance from Data to You in Edge Computing
Mar 19th 2023 6:00am, by Paul Scanlon
7 Hardware Devices for Edge Computing Projects in 2023
Mar 15th 2023 6:42am, by Charles Mahler
The Need for Speed: Why Eleventy Leaves Bundlers Behind
Mar 10th 2023 8:18am, by Loraine Lawson
What the Heck Is the Edge — and Why Should You Care?
Mar 8th 2023 10:00am, by Glauber Costa
What Is Microservices Architecture?
Feb 23rd 2023 4:22am, by Eric Schabell
Java's History Could Point the Way for WebAssembly
Jan 12th 2023 3:00am, by B. Cameron Gain
Limiting the Deployment Blast Radius
Nov 15th 2022 8:14am, by Steven Lohrenz
Do ... or Do Not: Why Yoda Never Used Microservices
Oct 25th 2022 6:00am, by Samar Abbas
The Gateway API Is in the Firing Line of the Service Mesh Wars 
Oct 17th 2022 7:00am, by B. Cameron Gain
JWTs: Connecting the Dots: Why, When and How
Mar 20th 2023 7:10am, by Michal Trojanowski
Palo Alto Networks Adds AI to Automate SASE Admin Operations
Mar 17th 2023 6:00am, by Chris J. Preimesberger
TrueNAS SCALE Network Attached Storage Meets High Demand
Mar 2nd 2023 7:13am, by Jack Wallen
How Secure Is Your API Gateway?
Feb 28th 2023 5:16am, by Andrew Stiefel
Bullet-Proofing Your 5G Security Plan
Feb 24th 2023 7:24am, by Anand Oswal
Serverless WebAssembly for Browser Developers
Mar 22nd 2023 12:26pm, by Matt Butcher
ScyllaDB’s Incremental Changes: Just the Tip of the Iceberg
Mar 20th 2023 9:29am, by George Anadiotis
TriggerMesh: Open Sourcing Event-Driven Applications
Mar 13th 2023 12:14pm, by Jessica Wachtel
Ably Touts Real-Time Starter Kits for Vercel and Netlify
Mar 8th 2023 10:56am, by Loraine Lawson
Going Serverless on AWS Lambda? Recognize Potential Risks 
Mar 6th 2023 5:00am, by Sarabjeet Chugh
The Economics of Database Operations
Mar 23rd 2023 8:25am, by John Page
Digital Anarchy: Abolishing State
Mar 23rd 2023 6:32am, by Tim Banks
ScyllaDB’s Incremental Changes: Just the Tip of the Iceberg
Mar 20th 2023 9:29am, by George Anadiotis
Historical Data and Streaming: Friends, Not Foes
Mar 20th 2023 4:00am, by Michael Drogalis
Bosch IoT and the Importance of Application-Driven Analytics
Mar 9th 2023 8:30am, by Jay Runkel
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Toolkit Allows JavaScript Devs to Program Embedded Devices
Mar 23rd 2023 11:06am, by Loraine Lawson
Stopping AI Hallucinations for Enterprise Is Key for Vectara
Mar 23rd 2023 4:00am, by Richard MacManus
Vercel Brings Logging, Monitoring to Its Observability Suite
Mar 22nd 2023 3:00am, by Jessica Wachtel
JavaScript Library Lets Devs Add AI Capabilities to Web
Mar 20th 2023 10:32am, by Loraine Lawson
Rich Harris Talks SvelteKit and What’s Next for Svelte
Mar 20th 2023 3:00am, by Loraine Lawson
Toolkit Allows JavaScript Devs to Program Embedded Devices
Mar 23rd 2023 11:06am, by Loraine Lawson
5 Myths about Puppet
Mar 23rd 2023 10:18am, by Jain Waldrip
The Economics of Database Operations
Mar 23rd 2023 8:25am, by John Page
Digital Anarchy: Abolishing State
Mar 23rd 2023 6:32am, by Tim Banks
Serverless WebAssembly for Browser Developers
Mar 22nd 2023 12:26pm, by Matt Butcher
JavaScript or WebAssembly: Which Is More Energy Efficient and Faster?
Jan 30th 2023 9:51am, by Loraine Lawson
What TypeScript Brings to Node.js
Dec 26th 2022 3:00am, by Paul Ferrill
Improve your TypeScript Skills with Type Challenges
Nov 11th 2022 3:00am, by Danni White
TypeScript on Mars: How HubSpot Brought TypeScript to Its Product Engineers
Aug 19th 2022 10:00am, by George Kemp and Duncan Walter
PayPal Enhances JavaScript SDK with TypeScript Type Definitions
Aug 17th 2022 12:38pm, by Jessica Wachtel
VMware and Other Wasm Players Want WebAssembly 
Mar 23rd 2023 8:52am, by B. Cameron Gain
Serverless WebAssembly for Browser Developers
Mar 22nd 2023 12:26pm, by Matt Butcher
MIT-Created Compiler Speeds up Python Code
Mar 14th 2023 11:38am, by Loraine Lawson
Can WebAssembly Solve Serverless's Problems?
Mar 3rd 2023 5:13am, by B. Cameron Gain
Figma Targets Developers While it Waits for Adobe Deal News
Feb 27th 2023 9:42am, by Richard MacManus
Unlock the Next Wave of Machine Learning with the Hybrid Cloud
Mar 22nd 2023 10:00am, by Kjell Carlsson
Getting the Most from Kubernetes Autoscaling
Mar 21st 2023 7:06am, by Brian Likosar
ScyllaDB Challenges DynamoDB on Latency and Pricing
Mar 20th 2023 9:00am, by Jessica Wachtel
Multiple Vendors Make Data and Analytics Ubiquitous
Mar 20th 2023 5:00am, by Andrew Brust
Let’s Talk about Cloud Threat Hunting 
Mar 16th 2023 7:33am, by Guilherme (Gui) Alvarenga
The Economics of Database Operations
Mar 23rd 2023 8:25am, by John Page
Stopping AI Hallucinations for Enterprise Is Key for Vectara
Mar 23rd 2023 4:00am, by Richard MacManus
Get More out of Machine Learning with Data Preprocessing
Mar 21st 2023 5:00am, by Alexander T. Williams
JavaScript Library Lets Devs Add AI Capabilities to Web
Mar 20th 2023 10:32am, by Loraine Lawson
ScyllaDB’s Incremental Changes: Just the Tip of the Iceberg
Mar 20th 2023 9:29am, by George Anadiotis
Nvidia Hones in on Apple-Like Approach to AI with CUDA
Mar 23rd 2023 7:34am, by Agam Shah
Stopping AI Hallucinations for Enterprise Is Key for Vectara
Mar 23rd 2023 4:00am, by Richard MacManus
Unlock the Next Wave of Machine Learning with the Hybrid Cloud
Mar 22nd 2023 10:00am, by Kjell Carlsson
Get More out of Machine Learning with Data Preprocessing
Mar 21st 2023 5:00am, by Alexander T. Williams
Multiple Vendors Make Data and Analytics Ubiquitous
Mar 20th 2023 5:00am, by Andrew Brust
How 2 Founders Sold Their Startup to Aqua Security in a Year
Mar 22nd 2023 1:42pm, by Heather Joslyn
Cloud Malware: Types of Attacks and How to Defend Against Them
Mar 22nd 2023 10:13am, by Faith Kilonzi
Build Software Supply Chain Trust with a DevSecOps Platform
Mar 21st 2023 8:23am, by Diego Lapiduz
JWTs: Connecting the Dots: Why, When and How
Mar 20th 2023 7:10am, by Michal Trojanowski
Check for Container Image Vulnerabilities with Trivy
Mar 18th 2023 6:00am, by Jack Wallen
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
Build Software Supply Chain Trust with a DevSecOps Platform
Mar 21st 2023 8:23am, by Diego Lapiduz
Simplify CI/CD with a General-Purpose Software Catalog
Mar 14th 2023 6:24am, by Zohar Einy
Enabling DevOps Control for Those Who Need It Most — Developers
Mar 13th 2023 6:46am, by Venkat Thiruvengadam
Setting Kubernetes Standards with Platform Engineering
Mar 10th 2023 7:39am, by Zohar Einy
Which Features Does Your Platform Engineering Portal Need?
Mar 7th 2023 4:00am, by B. Cameron Gain
5 Myths about Puppet
Mar 23rd 2023 10:18am, by Jain Waldrip
LinkedIn Unifies Stream and Batch Processing with Apache Beam
Mar 23rd 2023 8:00am, by Jessica Wachtel
Observability — Freeing Your Load Tests from the Black Box
Mar 22nd 2023 8:26am, by Ken Hamric
Reducing the Cognitive Load Associated with Observability
Mar 22nd 2023 6:44am, by Alex Gervais
Is Your Incident Response Better Than an Energy Company’s?
Mar 21st 2023 9:04am, by Paige Cruz
How 2 Founders Sold Their Startup to Aqua Security in a Year
Mar 22nd 2023 1:42pm, by Heather Joslyn
Simplify CI/CD with a General-Purpose Software Catalog
Mar 14th 2023 6:24am, by Zohar Einy
IBM Donates SBOM Code to OWASP
Mar 7th 2023 7:51am, by Steven J. Vaughan-Nichols
Slim.AI: Automating Vulnerability Remediation for a Shift-Left World
Feb 21st 2023 10:00am, by John Amaral
DevPod: Uber's MonoRepo-Based Remote Development Platform
Jan 26th 2023 3:00am, by Jessica Wachtel
How 2 Founders Sold Their Startup to Aqua Security in a Year
Mar 22nd 2023 1:42pm, by Heather Joslyn
Stephen Thaler Claims He's Built a Sentient AI
Mar 16th 2023 8:10am, by David Cassel
How Tech Leaders Are Managing Anxieties after SVB Failure
Mar 15th 2023 10:59am, by Heather Joslyn and Colleen Coll
Chatops: Where Automation, Collaboration and DevOps Culture Meet
Mar 15th 2023 8:19am, by Blair Rampling
What We Can Learn from Twitter's Outages
Mar 13th 2023 9:00am, by Jennifer Riggins
Historical Data and Streaming: Friends, Not Foes
Mar 20th 2023 4:00am, by Michael Drogalis
Defining DORA-Like Metrics for Security Engineering
Mar 17th 2023 9:00am, by Daniel Koch
Chatops: Where Automation, Collaboration and DevOps Culture Meet
Mar 15th 2023 8:19am, by Blair Rampling
Build Machine Learning Apps in Your Notebook with Tecton
Mar 15th 2023 6:00am, by Richard MacManus
Is Cluster API Really the Future of Kubernetes Deployment?
Mar 14th 2023 10:00am, by Steve Francis
A Is for OpenStack Antelope
Mar 22nd 2023 7:41am, by Steven J. Vaughan-Nichols
Getting the Most from Kubernetes Autoscaling
Mar 21st 2023 7:06am, by Brian Likosar
Is Cluster API Really the Future of Kubernetes Deployment?
Mar 14th 2023 10:00am, by Steve Francis
Can WebAssembly Solve Serverless's Problems?
Mar 3rd 2023 5:13am, by B. Cameron Gain
5 Things to Consider When Building a Kubernetes Platform
Mar 2nd 2023 10:00am, by Ram Iyengar
Reducing the Cognitive Load Associated with Observability
Mar 22nd 2023 6:44am, by Alex Gervais
Vercel Brings Logging, Monitoring to Its Observability Suite
Mar 22nd 2023 3:00am, by Jessica Wachtel
Is Your Incident Response Better Than an Energy Company’s?
Mar 21st 2023 9:04am, by Paige Cruz
Why Audit Logs Are Important
Mar 16th 2023 8:34am, by James Walker
5 Steps to Effective Cloud Detection and Response 
Mar 15th 2023 10:30am, by Faith Kilonzi
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
AmeriSave Moved Its Microservices to the Cloud with Traefik's Dynamic Reverse Proxy
Sep 8th 2022 2:02pm, by Ann R. Thryft
Can You Now Safely Remove the Service Mesh Sidecar?
Sep 8th 2022 9:19am, by B. Cameron Gain
eBPF or Not, Sidecars are the Future of the Service Mesh
Aug 12th 2022 10:00am, by William Morgan
Security

Protect and Index Sensitive Data with Polymorphic Encryption

With polymorphic encryption, the data is encrypted in multiple forms, with multiple keys, with specific functions for the data associated with each encryption set.
May 27th, 2022 10:00am by
Featued image for: Protect and Index Sensitive Data with Polymorphic Encryption
Feature image via Pixabay.

Anshu Sharma
Anshu Sharma is the co-founder and CEO of Skyflow, a data privacy vault that allows B2C companies to secure sensitive customer data.

What if you could run real-time queries on data that remains safely encrypted? That might seem nonsensical at first — doing anything with encrypted data is usually cumbersome, resource-intensive, and slow. But real-time queries on sensitive data aren’t just possible, they’re very practical, especially when working with sensitive personal data (PII). The key is polymorphic encryption, and it should be a part of any modern data privacy stack.

In this article, I’ll discuss what polymorphic encryption offers to developers and how it balances the need to use data with the need to protect data. To understand polymorphic encryption, we should start with a look at homomorphic encryption, which also aims to address data security and data usability.

Homomorphic Encryption: A Flawed Ideal?

Homomorphic encryption is widely considered to be the “gold standard” of encryption because it supports arbitrary operations on encrypted data without first decrypting it. The idea is that you perform operations (like multiplication and addition) on two encrypted values to get an encrypted result. Then, you can decrypt that result to the same value you’d get if you performed that operation on plain-text values.

With the most extensive homomorphic encryption schemes, there’s a wider range of operations available that can be performed repeatedly. On the surface, it seems like this lets you both secure sensitive data and use it.

But, there are some issues with homomorphic encryption. And looking at these issues makes it clear why homomorphic encryption isn’t more widely used. While it’s often referred to as a “gold standard,” it has some practical shortcomings — just like the monetary gold standard has practical shortcomings in economics.

With polymorphic encryption, the data is encrypted in multiple forms, with multiple keys, with specific functions for the data associated with each encryption set.

One issue with homomorphic is that it requires too much computing power for most companies to use. The computing resources required for fully homomorphic encryption mean that even with massive computing power, user experiences relying on it are incredibly slow. How slow? Slow enough that most companies would avoid it because of latency issues. Microsoft even notes in their homomorphic encryption library docs that homomorphic encryption isn’t efficient. Such performance issues make homomorphic encryption unworkable for most business applications.

So why does homomorphic have these performance challenges? It’s because homomorphic encryption is the expression of an ideal — to be able to run nearly any operation on encrypted data — that is divorced from the actual needs of most developers. The actual need often faced by developers is to run a few well-known operations on sensitive data. How often do you really need to support running a wide range of computations on sensitive data? And, why should your encryption scheme perform poorly to support these unneeded operations?

For example, you might need to determine the location of a customer by running a matching operation on their encrypted phone number, examining the country code or area code. But, I can’t think of a good reason to ever perform multiplication or addition on a customer’s phone number. So, why endure slow performance to support that operation?

The real issue with homomorphic encryption lies in its goal: to run a wide range of operations on encrypted data, while choosing which operations to support after encryption.

Polymorphic Encryption Compared to Homomorphic Encryption

Homomorphic encryption borrows its first term from the mathematical idea of homomorphism, which refers to the mapping of one mathematical object to another while preserving the structure of the first object. With homomorphic encryption, only one set of encrypted data is created and only one key can be used to decrypt the data. This is powerful but inflexible and computationally slow.

Polymorphic encryption gets its name from the computer science concept of polymorphism, where a single interface or symbol represents many data types. With polymorphic encryption, the data is encrypted in multiple forms, with multiple keys, with specific functions for the data associated with each encryption set. This is equally powerful, but much more flexible, secure, and computationally much faster.

So, while it’s similar to homomorphic encryption in some ways, there are a few important differences with polymorphic encryption:

  • Operations on partial data: Sometimes you don’t need to perform operations on an entire record, only part of it, like when you are determining a customer’s location using only a phone number’s area code. Supporting operations on partial records makes sense when you consider that many numbers are in fact data structures composed of multiple identifiers, instead of integers that you need to add or subtract. A phone number, for example, consists of a country code, an area code, and a local code. It might be commonly stored as an integer, but it is really a data structure. Operations on partial data don’t require full data access because you only need, for example, an area code projection to compare area codes. By not decrypting full records when you only need partial data, polymorphic encryption enhances data privacy and security.
  • High-performance support for selected operations: Because polymorphic only supports the operations you know you’ll need before encrypting, it offers much better performance than homomorphic encryption.

Polymorphic Encryption In Action

A few examples of how a business might use polymorphic encryption help to illuminate how you can manage what seems like the intractable conflict between the need to secure data and the need to use it:

  • ID Verification: Consider a customer service agent (CSA) who needs to use the last four digits of an SSN to confirm identity. With polymorphic encryption, they can ask a customer for their last four SSN digits and confirm their identity in real-time, without decrypting a list of customer SSNs (or even the full SSN). With homomorphic encryption, they would need to wait too long for this exact match operation for it to be practical. In systems without data protection or encryption, where CSAs have access to full SSNs, it’s only a matter of time before you have a data breach.
  • Credit Check: Picture a banker reviewing a customer’s credit score to approve a loan. They don’t need the full credit score, only to know if it is above or below a given threshold. With polymorphic encryption, they can determine whether a customer’s score meets the requirements for a given loan without ever seeing it. All that they see is a “yes” or “no” response to whether the credit score meets or exceeds the requirements for the loan.

In both of these scenarios, polymorphic encryption lets you support business workflows without decrypting data. You aren’t decrypting an entire field from your SSN or credit score table, let alone fetching these values for all customers.

This is great from a data security perspective because the last thing any chief information security officer wants, other than a data breach, is employees decrypting more data than they need and caching it locally because that’s the path of least resistance to do their jobs.

Conclusion

Balancing the need for data privacy and data usability requires us to take a new approach to storing and encrypting data — and acknowledge that data security that doesn’t support critical workflows isn’t really robust security.

Polymorphic encryption delivers what homomorphic encryption promises because it’s scoped to what business workflows actually need from sensitive data. It provides a better-performing solution because it doesn’t support unnecessary operations on your most sensitive encrypted data. Instead, it supports and secures operations needed for key business workflows, like comparison and exact match on partial records.

Note: This article discusses polymorphic data encryption. Polymorphic data encryption is distinct from polymorphic key encryption, in which encryption keys rotate, but data is unusable unless you fully decrypt it.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
VEX: Standardization for a Vulnerability Exploit Data Exchange Format Unlocking the Power of Security Orchestration Endor Labs Station 9's Top 10 Open Source Security Risks You'll Soon Be Using Vulnerability Exploitability eXchange Why So Much Open Source Software Is Vulnerable to Hackers
RELATED STORIES
No More Mr. Nice Guy: GitHub Demands Developers Use 2FA Why Your APIs Aren’t Safe — and What to Do about It Build Software Supply Chain Trust with a DevSecOps Platform JWTs: Connecting the Dots: Why, When and How How Decoupling Can Help You Write Better Software
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.