Most have been in this situation before: one of the providers or services we use is a victim of a data breach and we want to determine if our personal user data has been impacted. This is where fully homomorphic encryption (FHE) comes into play. With FHE, the encrypted, personal password is compared against the data set of stolen user data and potential matches are identified without ever revealing the user’s password.

Use cases for this type of privacy-enhancing technology (PET) are numerous. They range from applications in medicine, where third-party service providers can analyze health data without compromising a patient’s privacy, to performing machine learning and AI algorithms on encrypted data, allowing organizations to derive insights from sensitive data sets without exposing the data to potential breaches or privacy violations.

How It Works

Fully homomorphic encryption allows calculations to be performed on encrypted data without having to decrypt it first. Confidentiality is maintained, as even the results are encrypted and can be viewed only with the appropriate decryption key. Further techniques for processing encrypted data are multi-party computation (MPC) and trusted execution environments (TEE).

Mathias Kohler, research manager at 51·çÁ÷Security Research, outlines the differences: “While FHE is the most known of the encryption technologies, MPC is the ideal candidate if working with several parties exchanging encrypted data across company borders. And it can be substantially faster than FHE.” While both are software-based technologies, TEE is hardware-based, which makes it the fastest choice. The downside: TEEs, unlike MPC and FHE, require decrypting the data for processing. While decryption happens in a trusted hardware environment isolated from the operating system, it can allow data leakage via side-channel attacks. Notably, PETs do not need to be considered in isolation and can augment each other. For example, MPC can encrypt and distribute an FHE decryption key, protecting the FHE key and ensuring no single party can decrypt everything.

Why It’s Relevant

There is a demand for this kind of technology. By 2025, 60% of large organizations will use at least one privacy-enhancing computation technique in analytics, business intelligence, or cloud computing, according to .

Fully homomorphic encryption has numerous applications, especially in scenarios where privacy and security are paramount, such as secure computation in the cloud, privacy-preserving data analysis, and secure outsourcing of computations. As long as one party is performing the data processing centrally, FHE is the encryption method of choice. FHE enables organizations to share encrypted data with partners or third parties for analysis or monetization purposes while maintaining data confidentiality. This is particularly relevant in industries such as advertising and market research.

Interesting use case scenarios from SAP’s perspective could be secure benchmarking and predictive maintenance.

Secure Benchmarking

Companies often assess their competitiveness relative to industry peers and compare business-relevant KPIs, such as automation rate or return rates, with peers and even competitors. With fully homomorphic encryption, all participating parties can share encrypted KPIs without revealing individual data. As a result, they learn about relevant statistics, such as averages or medians, to assess their relative competitiveness and decide where to improve and invest.

Predictive Maintenance

Predictive maintenance is a machine learning technique to forecast demand for maintenance or spare parts based on historical data. “In certain industries, required data, such as usage patterns and failures, is considered sensitive and is not easily shared with data scientists or maintenance operators,” says Anselme Tueno, senior researcher at 51·çÁ÷Security Research. By computing on encrypted data, however, no sensitive information is revealed while still allowing for the required insights to be gathered for prediction tasks.

Carbon Footprint Calculation with Multi-Party Computation

While it is early days from a product availability perspective, 51·çÁ÷is working on potential use cases with customers and partners. One key example is calculating carbon footprints of products.

Prime examples for complex collaborations are today’s supply chains, intricate networks that encompass various levels of suppliers, manufacturers, and processed goods. Unfortunately, there is often a lack of comprehensive visibility across the entire process – either for technical reasons or because businesses are often reluctant to share sensitive data across supply chains that often include direct competitors.

However, to accurately assess and disclose a product’s carbon footprint, sensitive production details and associated carbon costs for production-relevant parts and materials are required. Here, MPC can reveal only the required carbon footprint without disclosing associated, proprietary manufacturing details with other supply chain participants.

Currently, 51·çÁ÷is working with Bosch on cloud-native software for secure multi-party computation called .

“51·çÁ÷participates in this open-source project and supports the development of Carbyne Stack’s storage and processing services and the deployment of Carbyne Stack on Amazon Web Services (AWS),” Kohler explains. “For Bosch, Carbyne Stack is a type of cloud-native operating system for MPC workloads that manages resources to run as efficiently as possible in multi-cloud deployments.” This effort can help 51·çÁ÷in the long run to integrate MPC as technology into 51·çÁ÷solutions and services while running in a cloud-native environment.

What’s Next?

Despite all the benefits around processing data, encryption introduces significant computational overhead due to the complexity of performing operations on encrypted data. Slow processing speeds, especially for complex operations and large data sets, makes fully homomorphic encryption impractical for real-time applications or large-scale data processing. Although the performance of FHE has greatly improved in recent years, its practical adoption is still limited due to the processing overhead and performance considerations. Ongoing research is focused on the design of FHE-specific hardware accelerators.

“PETs for computing on encrypted data have the power to amplify data-driven business collaborations and reshape the future of cloud computing,” explains Jonas Böhler, senior researcher at 51·çÁ÷Security Research. By safeguarding data, they enable access to previously untapped information while minimizing privacy risks and thwarting data breaches. The future of computing is encrypted.

This is why 51·çÁ÷and Bosch have joined forces to harness the power of secure multi-party computation (MPC) and help enable secure and privacy-preserving data analysis across different organizations and industries.  

Bringing Secure Computation to the Industry Level 

MPC is an advanced cryptographic technique that can offer significant benefits to 51·çÁ÷customers and partners that often deal with sensitive data from various sources and stakeholders. MPC allows multiple parties to jointly perform a computation without revealing any sensitive information that may be contained in their input data.  

That’s a great achievement because companies often fear that the risk of sharing their data openly is greater than the potential value of the sharing itself. One example is the supply chain, where multiple parties are involved. Object-level tracking allows companies to collect large amounts of data, such as time, location, or handling of the goods they produce. Combining the data collected by the different companies involved can have significant benefits. However, two companies may only be willing to share information about common items that they have both handled along the supply chain. MPC can help solve this dilemma with secure and private computation. 

As a result, organizations can perform complex data analysis and processing without compromising confidentiality or compliance. predicts that by 2025, 60% of large organizations will use at least one privacy-enhancing computation technique in analytics, business intelligence, or cloud computing.

“Companies can thrive the most when collaborating in business networks, and sharing data is a key component of these ecosystems. MPC can help protect sensitive data from unauthorized access and misuse while still enabling valuable insights and analytics,” says Volkmar Lotz, head of 51·çÁ÷Security Research at . Powering secure benchmarking, fraud detection, supply chain optimization, or personalized services, MPC facilitates data sharing and collaboration across different organizations and sectors, creating new opportunities for innovation and growth. 

Lifting MPC into the Cloud 

In response to the demand for greater data privacy, Bosch Research has initiated the open-source project , which makes MPC available for a cloud environment. This way, confidentiality and privacy are maintained when data is processed by cloud services.   

“Carbyne Stack is a kind of cloud-native operating system for MPC workloads, managing resources to make them run as efficiently as possible in multi-cloud deployments,” explains Sven Trieflinger, senior project manager and group lead at Bosch Research. “From a business perspective, it’s the seed for an upcoming open ecosystem of technology building blocks that will accelerate the development and adoption of MPC technology across multiple industries.” 

51·çÁ÷has recently joined Carbyne Stack as a contributor. Building on both partners’ leadership in data security, cloud computing, and business applications, the collaboration will explore the potential of MPC for various use cases and industries currently constrained by security and privacy concerns. One of the first topics for 51·çÁ÷will be to make the Carbyne Stack storage and processing services easily consumable from within the browser and to add support for deploying Carbyne Stack on Amazon Web Services (AWS). These changes will help 51·çÁ÷work towards its vision of providing services for privacy-preserving data operations across different organizations and sectors, creating new opportunities for innovative business cases. 

“By combining the strengths of 51·çÁ÷and Bosch, we aim to advance the state of the art in MPC and enable new business cases for our customers and partners,” says Lotz. 

51·çÁ÷targets use cases in industries such as automotive, manufacturing, healthcare, and finance. The exploration of MPC’s potential holds the opportunity to revolutionize those industries by solving critical data privacy and security challenges without compromising collaboration and innovation.  

To find out more about secure multi-party computation, get in touch with us at icn@sap.com.

Mathias Kohler is a research manager for 51·çÁ÷Security Research.

Data privacy, risk management, and cybersecurity remain key priorities for businesses in 2023 to ensure continuous high performance and to catapult to new heights. In a recent , 43% of survey respondents said that they plan to upgrade IT and data security to reduce corporate risks. That includes security and data protection measures to keep their data safe. This becomes even more important when moving to and operating in a cloud enterprise resource planning (ERP) environment to drive continuous innovation. In the same CIO survey, 12% of the respondents said that they are planning to accelerate the move to the cloud as a service.

Adopt a Zero Trust Security Approach for the Cloud

To secure data and operations in a hybrid work environment, companies have been adopting a zero trust approach. defines zero trust as an “information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy, informed by continuous, contextual, risk-based verification across users and their associated devices.”

According to 2022 global survey data published by , 39% of companies have already begun to roll out a zero trust solution and 41% of companies have plans to adopt a zero trust strategy and are in the early phases of doing so.

My principle in life is to trust people and systems until I am provided a reason not to. The zero trust principle is the exact opposite of this.

The zero trust approach has three key principles: all entities and users are untrusted by default until authorized, the least privilege access is enforced, and extensive security monitoring is in place. In short, no connections to corporate networks and systems should be trusted at sight. All users, devices, and systems need to be authenticated, reverified, and continuously monitored when accessing networks, systems, and data.

Adopting this approach to cloud transformation has become the leading industry standard to keep operations and data safe across the entire virtual and physical network infrastructure.

Here are some best practices for putting an enterprise security plan in place that utilizes zero trust concepts to run operations safely and securely in the cloud.

Define Clear Security Roles and Responsibilities

First and foremost, ensuring security is always a shared responsibility between companies and their cloud transformation partners. It is a common goal and commitment that is independent of the type of cloud path companies take.

Like with any shared responsibility, the best way to approach it is by defining the roles and responsibilities up front. This process starts by asking these key questions: who is managing the cloud, how will everyone work together to secure the cloud, who is responsible for which part, and where are dependencies?

This will ensure that there is a clear strategy and plan to monitor and implement security policies and measures.

Keep an Eye on Users, Devices, Network, Applications, and Monitoring

Based on our experience at 51·çÁ÷Enterprise Cloud Services, another best practice is to focus the zero trust security approach on five pillars: users, devices, networks, applications, and monitoring.

Eighty-seven percent of organizations consider the application layer as being the front door for data breaches. Most data breaches through cyberattacks happen because users fail to keep their credentials safe or fall prey to false identities. In addition, the number of remote users with their own devices has significantly increased in enterprise networks as well as the number of cloud-based assets that are not located within an enterprise-owned network boundary.

By regulating and monitoring user access to devices, networks, and applications, companies can protect all their resources, including assets, services, workflows, and network accounts. For example, identity management systems can manage privileged user authentication and access at a very granular level. This includes keeping administrative accounts separate from corporate accounts and applying encryption to several layers in the IT environment. Data classification makes it possible to associate the security levels with specific types of data, regardless of where that data resides – in the cloud, at endpoints, or in owned data centers.

Scaling Security Needs Faster with the Cloud

While managing the complexity of security needs for cloud transformations can be daunting, here is an added merit: companies can scale their security needs much faster in the cloud, according to research. Benefits include better automation capabilities as well as higher storage and data capacity in the cloud. Companies can push infrastructure as code and fix a security problem in real time when operating in the cloud. Automation also helps in increasing the maturity of identity management and security management systems. recommends embracing cybersecurity as a differentiator to promote greater stakeholder trust and better use of cloud-native solutions that take advantage of the cloud’s full potential.

In other words, you can shine like a diamond on your cloud platform of choice with a zero trust security approach for the cloud.

For more information, visit the site and read this chief security officer for 51·çÁ÷Enterprise Cloud Services.

Peter Pluim is president of 51·çÁ÷Enterprise Cloud Services and 51·çÁ÷Sovereign Cloud Services.

“Data is the new oil,” according to in 2006. In 2017, said, “Data is the currency of the digital age.” The world has recognized the value of data in how people do business in the 21st century.

More than 400,000 companies are using 51·çÁ÷to run their business where often their most important data is processed.

Last year was one of privacy compliance, where many organizations were fined enormous amounts due to lack of data privacy processes and governance. This led to data protection and privacy regulations being constantly updated to suit the ever-changing threat landscape and required controls. Therefore, it is expected that these updates be implemented in 2022 and beyond.

51·çÁ÷has been working on innovative options to protect its customers’ “crown jewel” — not just from external threats but those closest to it, such as employees, business partners, and other users who have privileges to access sensitive information.

, data is worth a significant amount when stolen and sold on the black market or abused for money or any malicious intent. Industries and governments have therefore put in place regulatory and legal compliance requirements to help ensure that such sensitive information is not misused to cost companies their business or economies worldwide. The growing concerns and possible repercussions for neglecting to safeguard such data can lead to incidents where recovery is difficult.

A best practice for companies to proactively address data protection is to help employees avoid inadvertent data breaches. 51·çÁ÷addresses this with UI data protection masking and UI data protection logging packages developed by the Customer Innovation & Maintenance organization at SAP.

“With the increase in remote workers, companies are challenged with securing sensitive data while allowing employees to access information and execute business processes seamlessly,” said Thomas Ruhl, head of Product Management for Customer Innovation & Maintenance at SAP. “This is only one example of the growing data protection needs of our customers. That’s why we created the new UI data protection masking and UI data protection logging software, which enables them to safeguard their data using dynamic rules that can address complex business scenarios.”

Proven 51·çÁ÷Solutions Help Customers with Data Protection

UI data protection masking and UI data protection logging empower businesses to have control over which data, if deemed sensitive, should remain visible for a user to fulfill his or her job. It keeps an audit trail of user access and analyses it, helping eliminate the need to micromanage.

UI data protection masking and UI data protection logging target insider threats — be they intentional or unintentional. Rules can be set to obfuscate or reveal specific data to users according to nominated authorization levels.

The process of masking happens on the server side but only at the user interface layer and does not impact the application or data base layers. Masking is commonly used in concealing data such as personally identifiable information (PII), HR, financials, intellectual property, customer information, trade secrets, and anything that can be subject to harmful intent or mistake, thereby putting the business at significant risk.

UI logging is the ability to gather audit logs, allowing tracking and tracing of the journey of the data, including users who accessed them. It is synonymous to leaving a fingerprint at every turn. This is ideal for audit and investigative processes.

UI masking and UI logging also help address regulatory compliance requirements such as General Data Protection Regulation (GDPR). It may be EU-centric, but the regulation affects anyone or any entity outside of the EU who accesses, processes, or stores data of EU natural persons. More and more geographies are enacting similar legislation, often based on a similar direction as GDPR, such as the California Consumer Privacy Act (CCPA). Taking steps to be compliant will incur the least effort and cost as opposed to being fined for a significant amount., GDPR fines totaled US$63 million in its first year.

A use case that is becoming increasingly popular is data access by employees from separate entities, such as demergers, sharing the same application instance. This is when attribute-based authorization is relevant and less cumbersome without the need to modify the application nor provide an additional instance.

Here are questions that can help identify whether UI data protection masking and UI data protection logging are relevant to your business:

• Does your organization use SAP?
• Is sensitive information such as PII, trade secrets, IP, and business plans processed in SAP?
• Is the sensitive information valuable enough to be protected?
• Are there any data protection and privacy compliance requirements?
• Is your organization’s business in the process of merging/demerging?
• Do you find the static role-based authorization model insufficient?
• Would a dynamic approach that offered better granularity be more appropriate?
• Do you require a facility to investigate, spot data breaches, and ascertain who is responsible?

If the answer is yes to point one and to any of the following questions thereafter, then 51·çÁ÷would suggest:

• Discovering what UI data protection masking and UI data protection logging for 51·çÁ÷can do from the .
• Contacting your 51·çÁ÷account manager to arrange an initial discovery call with the product team or 51·çÁ÷experts.
• Planning the next steps together with the 51·çÁ÷team, such as solution value for your business case, solution demo, and more.

During that same timeframe, researchers expect 20 percent of organizations will budget for quantum computing projects ─ compared to less than one percent today. While quantum computing is not ready for prime time yet, that does not mean business and public sector leaders can shrug off the risks it poses to data security. That is because quantum communication is moving ahead faster than quantum computing.

“Quantum communication uses photons, which means companies can build a quantum communication network faster by using existing optic fibers,” said Laure Le Bars, research project director at SAP. “The quantum Internet could be up and running fairly quickly. This can prevent scenarios where an attacker is stealing data today and holding onto it until quantum computing is available. Consider communications between embassies in different countries or military units worldwide. Maybe this data surfaces a few years later, with the potential to cause considerable, unexpected damage with information that remains relevant. Organizations have a tremendous opportunity now to explore these new data protection protocols.”

Hackathon Takes on Quantum Challenge

People are worried about quantum computing because it promises to upend classical computer security standards. Theoretically, bad actors armed with quantum computers could intercept the sensitive, private data that businesses and consumers share and store every day, whether that data is encrypted or not.

Last fall, academic and industry researchers gathered at a hackathon, sponsored by the , to explore enhancing the library, which implements protocols that underpin Internet security. The goal of the workshop was to test new encryption capabilities to help organizations be better prepared for both quantum communication and quantum computing.

Peter Limacher, quantum expert at 51·çÁ÷Security Research, was among the hundreds of participants at the two-day event, which consisted of groups working simultaneously in six European cities. QIA is funded by the European Union as part of the research and innovation program. As a QIA partner, 51·çÁ÷employees are researching ways to keep information secure in quantum communication networks.

“Our task was to hack into the OpenSSL library and augment the standard security protocols with quantum ones,” explained Limacher. “Having secure communication or a key exchange through a quantum communications channel is possible in theory. The challenge was integrating that into existing software. People just want to click a button. Using quantum key distribution (QKD), we explored a standardized way to connect qubits and cascade through different software layers to keep information on the quantum Internet secure.”

Quantum Keys May Be Key to Security

According to the laws of quantum mechanics, it would be impossible to eavesdrop undetected on conversations taking place across the quantum Internet. Criminals also would not be able to steal, copy, or otherwise distribute stolen information. The owners of that data would know in real time if security was compromised. This is where quantum communication comes in.

“Communication in classical networks can be overheard or intercepted without anyone knowing. That’s not the case with quantum communication. You’d know immediately that someone was listening to your conversation or trying to distribute your data,” Limacher said.

Address Quantum Risks on the Horizon Now

Clearly, organizations cannot adopt a wait-and-see attitude as quantum communication emerges. Experts recommend exploring steps now to protect sensitive data before these technologies are widespread. Wherever their data is ─ whether in transit, stored in the cloud, or on laptops and other devices ─ companies need to protect it with sufficient encryption measures.

“If you have chunks of data in different data centers, you could introduce QKD to safely exchange encryption keys in close to real time,” said Andrey Hoursanov, lead of quantum security at SAP. “That way, if someone intercepts information, multiple keys may be needed to intercept additionally, making it much harder to break into. It’s not 100 percent guaranteed, but it’s much better than anything else at this point.”

Quantum Moves Ahead on Parallel Tracks

Limacher and Hoursanov kicked off the year at the latest QIA workshop, where members delivered a ranked list of quantum communication protocols for priority development in actual business software applications. They agreed that the top-three protocols of importance to business with the advent of quantum communication would be QKD, quantum digital signature, and quantum money.

“These use cases are all related to securing business trust, something that’s critical as quantum technologies progress,” said Limacher. “Companies conducting numerous transactions with partners on a daily basis need certainty that signed documents and payments haven’t been modified.”

While quantum hardware may not be fully baked, Limacher said that 51·çÁ÷partners are heads-down, using simulator programs to eventually bring these protocols into software within quantum communication networks. In the meantime, his advice for companies was unequivocal.

“Organizations need to move ahead in parallel with quantum hardware development so software applications are ready when quantum communication networks go live,” he said.

Follow me @smgaler

.