Ubiquitous Encryption is a key technology for any company wishing to use shared IT infrastructures and services in full confidence. It is a veritable revolution for organisations that have placed the cloud at the heart of their IT strategy.

The concept of Ubiquitous Encryption is the ability to encrypt data anywhere, at any time and without the data ever leaving this state. This requires the ability to encrypt data in idle mode, during computation phases and during transport phases.

The data transport phase is where the industry has made the most progress, with swift generalisation of the SSL protocol and then of TLS for network transfers carried out in particular on the internet. With the arrival of flash storage, data encryption – performed directly by SSDs – also became rapidly widespread.

“In fact, it is at the data processing point that encryption is the most difficult to maintain,” explains Bruno Grieder, CTO and co-founder of Cosmian. “There is a necessity to be able to carry out searches or computations on encrypted data”. As a result, the industry has more recently begun to offer adapted solutions: processor manufacturers now offer the possibility of maintaining encrypted data in random access memory, since the encrypted data is only accessible in clear text to the processor when it loads it in order to perform computations.

Cloud Act: a sword of Damocles hanging over data confidentiality

“Companies need to realise that the data they put on the cloud is only encrypted when it is stored or transferred, but not during processing by the server,” underlines Sandrine Murcia, CEO and co-founder of Cosmian. At each instant, an operator with physical access to the server will be able to capture this information.

Bruno Grieder confirms this risk: “With the Cloud Act, the American government allows itself the possibility of searching as it pleases on servers of hyper-scalers, who boast a multitude of offers concerning data security, but how can we lend them our trust in such a context?” The answer is in the question: it is not possible, unless we opt for hypothetical sovereign clouds, which would be extremely demanding in terms of the security and confidentiality required for the data hosted.

According to Bruno Grieder, “In the end, the best approach is to not trust anyone by giving yourself the means to protect your data at all times. This is the concept of Zero Trust security, one of the answers to which is ubiquitous encryption of information, which will have to be achieved using robust and durable technologies”.

Tools adapted to modern development stacks

Getting managers to understand that ubiquitous encryption is the only fully secure way to upload their data to the cloud is only the beginning, because it is also necessary to guide and assist IT teams in adopting it.

“We try to provide developers with solutions that will allow them to create applications adapted to this new world,” explains Bruno Grieder. “The starting point for this is French scientific research (at CNRS and ENS), to propose solutions for simple handling of encrypted data, including during search or computation phases. Our ambition is to provide state of the art solutions in ubiquitous encryption”.

The integration of application encryption – which is an essential building block for achieving ubiquitous encryption – will be much easier for ISDs who have chosen modern software development techniques. Indeed, their experts will already be attuned to the concept of “privacy by design” and the DevOps, or even “DevSecOps”, movement. “Thanks to our solutions, developers creating microservices written in Python with the Flask framework will be able to deploy their code directly into a secure digital enclave, greatly simplifying implementation of application encryption”.

However, the transition will be more difficult for legacy applications, which will have to undergo a modernisation phase before they can integrate encryption into their core processing. “The same applies to certain cloud applications offered by major editors. For example, today it is impossible to activate application encryption in Microsoft 365. We will therefore have to wait for Microsoft to develop an adapted solution, with all the problems that this will raise, for example, when sharing data in collaborative mode or managing encryption keys”.

Cosmian APIs for Ubiquitous Encryption.

Cosmian’s Ubiquitous Encryption provides security and performance everywhere and at all times.

Cosmian provides developer APIs in libraries and server components so that developers and data engineers can quickly and transparently implement ubiquitous encryption: data is encrypted everywhere and at all times:

• At rest and during searching using flexible, secure, modern cryptographic primitives that allow application-level encryption with data partitioning, encrypted indexes and search queries, public key encryption, post-quantum resistance, attributes rotation, etc. See Cloudproof Encryption
• In use while being processed by a confidential microservice (also encrypted !) in the cloud. See Microservice Encryption

Cryptography implies managing keys, and Cosmian provides a Key Management System with a modern KMIP 2.1 interface. Cosmian KMS can be used as a complete key management solution or to complement an existing enterprise KMS.