What Is Homomorphic Encryption, and How Does It Relate to Zero Trust?

Encryption is one of the core components of modern cybersecurity. Although encryption has always been important, it has become increasingly so thanks to the heavy adoption of public cloud resources. Even so, the encryption methods that are used today have one major shortcoming: Encrypted data at some point must be decrypted. Or does it? This has led to many organizations asking: What is homomorphic encryption?

Data at Rest and Data in Motion: The Zero Trust Factor

When dealing with public cloud resources, best practices have long stated that data must be encrypted both at rest and in motion. In other words, we need storage-level encryption (encryption of data at rest) and network encryption (encryption of data in motion).

While such encryption is both desirable and necessary, consider these encryption best practices through the lens of a zero trust architecture--particularly one that makes use of public cloud resources. The very essence of zero trust is that nothing should be trusted unless it has been proven to be trustworthy.

Although some IT pros have occasionally cautioned against taking zero trust concepts to the extreme, one must at least question what might be done to prove a public cloud platform and the processes that are running on it to be trustworthy. This is where homomorphic encryption comes into play.

What Is Homomorphic Encryption?

One of the big problems with processing data in the public cloud is that there comes a point at which the data must be decrypted to be processed. Organizations go to great lengths to ensure the security of data at rest and in motion, but processes running in the cloud can’t make use of data unless the data is first decrypted. Not only does this decryption process introduce a potential vulnerability, but it also requires a key to reside in the cloud environment so that the data can be decrypted.

But what if it were possible to process data without having to decrypt it? That is the very idea behind homomorphic encryption.

Homomorphic encryption is based on the idea that mathematical constructs can make it possible to perform certain types of data processing without first having to decrypt the data.

Homomorphic encryption can go a long way toward shoring up zero trust initiatives because it would allow encrypted data to be sent to the cloud for processing, and an encrypted result returned, without ever exposing the actual data contents to the process that is working with the data.

The best analogy I have heard to answer the “What is homomorphic encryption?” question comes from Dr. Craig Gentry. Gentry compared homomorphic encryption to a glovebox—the type used in used in labs to help prevent researchers from being exposed to hazardous substances. They can also be used to avoid contamination, in healthcare settings, or for any number of other purposes.

So, with that said, imagine that a researcher opens a glovebox and places several different items inside. For the purposes of this metaphor, the items that the person places inside of the glovebox represent data. We’ll also pretend that the person who puts the items inside of the glovebox is the data’s owner and that the data has already been encrypted. Additionally, the glovebox itself represents a public cloud computing platform.

One more thing we need to make this metaphor work is another researcher, who will represent some computational process running in the cloud. This second researcher puts on the gloves and performs some sort of process on the objects inside of the glovebox. This researcher isn’t authorized to open the glovebox. He or she can use the gloves to manipulate those objects, but can’t add or remove anything from the glovebox. The second researcher can only work with what is already inside. Later on, once the experiment is finished, the original researcher comes along and removes the completed experiment from the glovebox.

The point behind this analogy is that the second researcher was able work with something he or she did not have direct access to. Only the researcher with the key to the glovebox was able to insert or remove items. In other words, the items (which represent encrypted data) remained secure throughout the entire process, even though another researcher (who represents a cloud service) was able to interact with those items.

What’s Holding Homomorphic Encryption Back?

So, the question may not be “What is homomorphic encryption?” but rather “What’s holding homomorphic encryption back?”

Homomorphic encryption, which was invented in the 1970s, isn’t frequently discussed in IT circles. Right now, there are two things that are holding homomorphic encryption back from widespread adoption.

The first of these issues is performance. There is a huge amount of overhead associated with processing encrypted data. However, this is starting to be less problematic as available computing power increases and algorithms become more efficient.

The other thing that is holding back the adoption of homomorphic encryption is the lack of standards. That, too, is starting to change. Microsoft, for instance, has created a library called Microsoft SEAL that is designed to help make homomorphic encryption more accessible. Microsoft SEAL is freely available to anyone through GitHub.

Conclusion

While homomorphic encryption may not be ready for prime time, it’s an important encryption model to watch as we move toward true zero trust security.