Bit Splitting
Bit splitting usually involves splitting up and storing encrypted information across different cloud storage services. Depending on how the bit splitting system is implemented, some or all parts of the data set are required to be available to decrypt and read the data.
If a RAID 5 solution is used as part of the implementation, then the system can provide data redundancy as well as confidentiality protection while making sure that a single cloud service provider does not have access to the entire data set.
Bit Splitting Benefits
The benefits of bit splitting are:
- Improvements to data security with regard to confidentiality.
- Bit splitting between different geographies/jurisdictions may make it harder to gain access to the complete data set via a subpoena and/or other legal process.
- It can be scalable, could be incorporated into secured cloud storage API technologies, and could reduce the risk of vendor lock-in.
Bit Splitting Challenges
While providing a useful solution to you, bit splitting also presents the following challenges:
- Processing and reprocessing the information to encrypt and decrypt the bits is a CPU-intensive activity.
- The whole data set may not be required to be used within the same geographies that the cloud service provider stores and processes the bits within, leading to the need to ensure data security on the wire as part of the security architecture for the system.
- Storage requirements and costs are usually higher with a bit splitting system. Depending on the implementation, bit splitting can generate availability risks, since all parts of the data may need to be available when decrypting the information.
Bit Splitting Methods
Bit splitting can utilize different methods, a large percentage of which are based on “secret sharing” cryptographic algorithms:
- Secret sharing made short (SSMS): Uses a three-phase process: encryption of information; use of information dispersal algorithm (IDA), which is designed to efficiently split the data using erasure coding into fragments; and splitting the encryption key itself using the secret-sharing algorithm.
The different fragments of the data and encryption key are then signed and distributed to different cloud storage services. The user can reconstruct the original data by accessing only m (lower than n) arbitrarily chosen fragments of the data and encryption key.
An adversary must compromise cloud storage services and recover both the encrypted information and the encryption key that is also split.
- All-or-Nothing-Transform with Reed-Solomon (AONT-RS): Integrates the AONT and erasure coding. This method first encrypts and transforms the information and the encryption key into blocks in such a way that the information cannot be recovered without using all the blocks, and then it uses the IDA to split the blocks into m shares that are distributed to different cloud storage services (the same as in SSMS).
Homomorphic Encryption
Homomorphic encryption enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider for processing without the requirement to decipher the data first.
The advantages of homomorphic encryption are sizable, ranging from electronic voting systems to collision-free hashes, with cloud-based services benefiting most, as homomorphic encryption enables organizations to safeguard data in the cloud for processing while eliminating most confidentiality concerns.
Note that homomorphic encryption is a developing area and does not represent a mature offering for most use cases. Many of the current implementations represent “partial” implementations of homomorphic encryption; however, these are typically limited to very specific use cases involving small amounts or volumes of data. Given the continued development and enhancement of homomorphic encryption, this may well have a significant impact on the way we implement controls to protect cloud data.
Quantum Computing
Combining physics, mathematics and computer science, quantum computing has developed in the past two decades from a visionary idea to one of the most fascinating areas of quantum mechanics.
Rather than store information using bits represented by 0’s or 1’s as conventional digital computers do, quantum computers use quantum bits, or qubits, to encode information as 0’s, 1’s, or both at the same time. This superposition of states—along with the other quantum mechanical phenomena of entanglement and tunneling—enables quantum computers to compute multiple data states at the same time.
Neural Networks
Neural networks are a computational approach, which is based on a large collection of neural units (also known as artificial neurons), loosely modeling the way a biological brain solves problems with large clusters of biological neurons connected by axons. The goal of the neural network is to solve problems in the same way that the human brain would, although several neural networks are more abstract.
When applying security strategies, it is important to consider the whole picture. Technologies may have dependencies or cost implications, and the larger organizational goals should be considered (e.g., time of storage versus encryption needs).