December 04, 2020
Security

Searching Through Files Without Decrypting? Atakama Makes it Possible

Since the pandemic forced a shift to remote operations, companies have accelerated efforts to move data to the cloud -- presenting attackers with plenty of fresh targets. Two recent examples:

  1. Hackers tied to the Chinese government were caught trying to break into the computer systems of biotech company Moderna to steal COVID-19 vaccine-development data.

  2. Hackers were caught infiltrating hospital information systems to hijack vital files and demanding a ransom. Parkview Medical Center in Pueblo, CO. was one such victim.

In this environment, encryption is more important than ever. But more aggressive encryption shouldn’t slow down your business. You should, for example, be able to search through encrypted, unstructured data without having to constantly decrypt and re-encrypt every file – a challenge that till now has been unsolved.

This was a challenge before COVID-19, of course, and it’s why Atakama developed a searchable encryption feature based on Searchable Symmetric Encryption (SSE),  Asymmetric Searchable Encryption (ASE), and Public Key Encryption with Keyword Search (PEKS) -- so users can search files without exposing sensitive information.

This article explains the components of the company’s searchable encryption, why it matters, and the step-by-step process by which we enable the task.

Fusing SSE, ASE and PEKS

As noted above, Atakama’s technology incorporates elements of SSE, ASE, and PEKS. Here is a breakdown of the components:

SSE: In a joint paper, researchers from the NJIT, AT&T Labs, Microsoft, and UCLA describe its purpose: allow a party to outsource the storage of its data to another party in private while maintaining the ability to selectively search over it.  This addresses the limitations of regular private-key encryption, which prevents users from selectively retrieving segments of their data.

ASE: In a separate paper, researchers Qiang Tang of the University of Luxembourg and Xiaofeng Chen of Xidian University explained that ASE schemes support two special features: message recovery and flexible search authorization. This allows a data owner to keep his data encrypted under his public key and assign different search privileges to third-party servers. Which takes us to:

PEKS: The mechanism by which Atakama delegates its pairings is close to that of Public Key Encryption with keyword Search, which was designed to allow one to search encrypted keywords without compromising the security of the original data. But Atakama-enabled search is performed on the endpoint.

Why It Matters

Because of threats like those mentioned at the beginning of this article, along with increased regulatory demands, companies are under increased pressure to encrypt every piece of sensitive and confidential data it owns or stores.

On the regulatory side, state privacy laws such as the NY DFS Cybersecurity Regulation require that companies encrypt ALL of their non-public data -- a complex and agonizing ordeal for those unprepared. Although many regulations hint at controls rather than laying them out specifically, the NY DFS Cybersecurity Regulation clearly states that encryption acts as a primary security control protecting data. 

The state has been aggressive about enforcing the law: In July 2020, it released its first enforcement action. New York state was a COVID-19 hot spot during Spring 2020, but despite the impact that had on the state’s economy, NY DFS pushed forward with its enforcement action anyway. 

For those who must search through a lot of files, precious time is lost repeatedly encrypting, decrypting and re-encrypting, a process that also exposes the decrypted files to risk. Searchable encryption helps organizations overcome that problem.

Working with a trusted company that provides file-level, granular encryption technology while enabling search is a critical step in safeguarding your network and restoring peace of mind.

Atakama’s Approach

To illustrate how our approach works and why it’s important, Atakama CTO Erik Aronesty pointed to an organization that had to conduct an audit of encrypted data to satisfy a legal request. They had a control panel to do the work, but once encrypted, they couldn’t search through the data.

The company approached us to help it overcome the problem. They now use our API to conduct searches in a way that ensures security rigor while reducing user pain. The API pings the auditor’s phone, and the auditor approves the search.

The process is seamless to the user. They only know that they are creating and moving files around, without the friction of traditional encryption, like PGP. And, because it’s not a complex API, the integration with the audit system was easy and painless. The API and UX are so simple, they can work across a huge array of use cases, whether you’re using legacy systems like Lotus Notes, cloud document management, or the latest, most advanced data classification and data loss prevention systems.

You can, for example, have a file on disc with hundreds of SSNs on it. You can set up a group of users who are the only ones able to access and search those files. This is a unique, secure workflow that is only possible with Atakama’s searchable encryption.

If you’re a bad guy and want to access those files, you’ll have to hack the user’s workstation and their phone at the same time. Having to conduct such a targeted attack on multiple platforms at once makes it significantly harder to steal the data.

The Step-by-Step Process

Here’s what Atakama’s searchable encryption process looks like, step by step:

  1. Atakama creates an index for every file it encrypts, by encrypting each word in the file using techniques from PEKS and appending them to a blinded set.
  2. The index of encrypted words is appended to the encrypted file.  
  3. Just as Atakama authorizes the decryption of files, it also now must authorize searches.
  4. When running a search, users enter their query and approve the query on their mobile device.  
  5. The mobile device combines each word of the search query with the encryption key shards for each file.
  6.  Atakama then uses the resulting combined information to securely locate files that contain the search terms.

All of these steps are near instantaneous to the user running the search.

Aronesty describes the approach as multi-factor encryption. Just as multi-factor authentication requires that someone pass through more than one gauntlet to verify their identity and access privileges, multi-factor encryption requires the same of those looking to search encrypted files.

“Multi-factor encryption is still rare, but it’s at the heart of what we do,” Aronesty said. “We don’t have a central point of failure. If someone has malware on their machine during a search, the only information that malware can see is the existence of keywords.”

To recap: Atakama’s searchable asymmetric encryption features are easy-to-use and compatible with a multitude of systems and devices, allowing users to protect files without compromising existing user workflows.

To learn more about our searchable encryption features and how they can be used to protect your data, contact us today.

background cta