@ISACA Volume 16  7 August 2019

Homomorphic Encryption: Privacy Throughout the Data Life Cycle


As cybersecurity experts, we are sometimes confronted with encryption techniques that go far beyond our understanding of the math involved. This is fine if we understand how to properly apply technology under the correct conditions. However, just as asymmetrical and symmetrical encryption algorithms, encrypting vs. hashing, and other cryptographic techniques are becoming well-known, something new is appearing on the horizon.

Enter fully homomorphic encryption (FHE). FHE performs calculations on encrypted information (ciphertext) before decryption. Once decrypted, the information looks as if the encryption had been performed on plaintext.

Homomorphic encryption was invented in the 1970s around the same time as Rivest–Shamir–Adleman (RSA) and asymmetrical encryption algorithms were invented. RSA is a partial homomorphic algorithm but is not a fully homomorphic solution. So why does FHE seem to have just recently appeared?

Just like we have seen with deep learning, the resource demand was so great upon discovery that these ideas remained in the realm of theoretical and not practical. However, using today’s modern processing platforms, FHE is becoming (almost) practical.
If you remember from encryption 101, symmetrical encryption uses secret keys. Everyone who wants to communicate in that community must know the secret key. Asymmetrical encryption brings us the ability to have public key infrastructures. Asymmetrical algorithms have public keys and private keys; one pair for each computer or individual in the infrastructure. The root key pair is maintained by a trusted agent from which all other keys are generated.

Up to this point, we had a fundamental understanding that there are 2 kinds of text: plaintext, which is data that have not been encrypted, and ciphertext, which is data that have been encrypted. To protect data at rest and in transit, we encrypt the data. However, when we want to process the data, the data must be decrypted (turned into plaintext) and then processed. Homomorphic encryption algorithms break this paradigm. A homomorphic algorithm allows a user to define query criteria, encrypt it and send it to a database that may or may not be encrypted. At the homomorphic layer of the database, or host-based application, the query will be compared against the data in the database without ever decrypting the query criteria. Thus, the query criteria will only be known to the originator. Simply stated, the query is encrypted, the query is processed and the found set is returned encrypted without anyone but the originator knowing the query criteria that was satisfied and the found set returned.

Homomorphic algorithms are a perfect solution for querying databases that are hosted external to an organization within the cloud or by a third party. As you have probably concluded, there is no possibility of a man-in-the-middle attack or covert channel from your querying pattern. This makes the only issue with FHE the resource requirement. For example, to support one user, homomorphic encryption has led to a query increasing in size up to 2 TB. This, along with the encryption of the found set that could increase size by another 3 to 5 times, makes the technique unattractive in an environment where you are paying for data transfer and computing power. This is further complicated by the processing time needed for complex queries, which can greatly increase. So, size and processing requirements tend to limit the ability to use these types of algorithms at scale. For these reasons, homomorphic encryption is limited to large processing platforms and is not easily scalable.

However, some small enterprises are beginning to overcome some of these limitations. These emerging enterprises have written homomorphic encryption clients that can run on a 4G or 5G (preferred) network-compatible phone. In concert with the client is a host-based application that processes data at the database. The sizes of found sets and query criteria have been reduced by limiting what is being encrypted.

In the future, FHE will become practical for everyday use. Further, when properly implemented, homomorphic encryption will be a transparent layer within the communication stack. You may use it and never even know it.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Learning to Navigate the Job Marketplace


Source: Rainer Puster;
Getty Images

Looking for a new job can be daunting. You must determine where to start your search and what skills you need for certain positions. Then you must apply to openings, land an interview and receive an offer.

To provide you with the tools you need to tailor your resume and LinkedIn profile so that organizations with your shared values can find you, ISACA presents the “How to Start Your Job Hunt” webinar. It will detail how to network and how to apply for positions to put you in the best position to succeed. This webinar takes place on 22 August at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Blair Celli, leader, learning and development professional, and career accelerator, will lead the webinar. She has more than 15 years of education experience in both nonprofits and Fortune 100 companies and will use her experience in adult learning theory and e-learning/instructional design to help you learn how best to succeed in your job search. Celli seeks to empower individuals to take charge of their careers by mastering the art of finding their niche, selling their value and marketing themselves, and being fully present in their roles.

To learn more about this webinar or to register for it, visit the How to Start Your Job Hunt page of the ISACA website.


Earn Up to 37 CPE Hours at Infosecurity ISACA Conference


This year, ISACA and Infosecurity Group have collaborated to debut the Infosecurity ISACA North America Expo and Conference. ISACA will leverage its Cybersecurity Nexus™ (CSX) workshops, certification prep and CSX Training Platform to help host the event alongside Infosecurity’s expertise in immersive learning and leadership networking. This year’s conference, which takes place 20-21 November 2019 in New York, New York, USA, will have more than 120 exhibitors, 4 pre- and post-conference workshops and 5 learning tracks. Attending both the pre-conference workshops and the Infosecurity ISACA North America Expo and Conference allows ISACA members and certification holders to earn up to 37 continuing professional education (CPE) credits.

Session highlights and topic areas include:

  • Opening keynote presented by Theresa Payton, former White House chief information officer (CIO) and cybersecurity authority, an expert focused on discretion, proactive solutions and incident response/crisis management
  • Closing keynote presented by Jamie Bartlett, British author and journalist, who delves into the topics of cybersecurity and online privacy, Internet cultures, and social media
  • Emerging security tools and techniques track
  • Cyberthreat intelligence and technologies track
  • Cybersecurity leadership and development track
  • Security, risk and compliance track
  • Data analytics enhancing cybersecurity track

To register for the conference or to learn more about it, visit the Infosecurity ISACA North America Expo and Conference page of the ISACA website.


Securing the Internet of (Kitchen) Things


Source: Onfokus;
Getty Images

The kitchen has become a testing ground for Internet-connected devices. While these devices can make cooking easier and more enjoyable, they also present a security risk. In the recent ISACA Podcast episode “Cyber in the Kitchen,” Frank Downs, subject matter expert and director of ISACA’s Cybersecurity Practice, and Dustin Brewer, manager and cybersecurity product platform developer, discuss some of the ways Internet of Things (IoT) devices can be exploited.

During the episode, Brewer discusses how he easily hacked his own home-brewing IoT device, and Downs and Brewer explain the harm that a hacker can cause by exploiting an IoT-connected kitchen device, such as a sous vide. Despite these potential dangers, both Downs and Brewer enjoy having IoT devices in their homes, and in the podcast, they share some actions that even nontechnical consumers can take to secure their IoT devices.

This podcast, along with dozens of other podcasts on governance, security, risk and audit can be streamed on the ISACA Podcast page of the ISACA website, Apple Podcasts, Google Play, SoundCloud and Stitcher.