< Return to content

Asymmetric Risk: The Reason Organizations Can't Protect Our Data (No Matter How Hard They Try)

3 min read
September 3, 2019
by David Enga

We currently live in the era of incessant cyber attack and eroding digital trust. According to Gallup, more Americans are worried about cybercrime than violent crime. Privacy regulation and enforcement are spreading. In 2022, IDC forecasts that security related spending will be $133.8 billion. This spending will mostly be ineffectual at preventing breaches because it fails to address the biggest source of risk. Let that sink in, $133.8 billion in spending will be mostly ineffectual.

The reason all this cyber security spending doesn't seem to be working is that IT is incredibly complex, making the attack surface too large to perfectly close all vulnerabilities all of the time. Since it is so inexpensive to do so, attackers can continually probe for open vulnerabilities and they only need to find one for an organization to suffer a massive loss. Massive loss for minimal effort is an asymmetry, hence the term asymmetric risk.

The recent Capital One breach is a perfect example of asymmetric risk. They reportedly suffered a loss of 100 million sensitive records while the attacker expended little effort exploiting a simple firewall misconfiguration. As a large regulated financial institution, Capital One presumably spends a lot on cyber security. We know the U.S. government does. The budget proposal for 2020 cyber security spending is $17.43 billion. Can even the U.S. government spend enough to close every vulnerability all the time? Not likely. It is too cheap and easy for attackers to keep looking for that one open vulnerability. If they do find their way in or if they are an insider, it is too easy to steal information when it is concentrated in a vulnerable state. We need a new approach that eliminates concentrations of vulnerable information.

The ideal solution to eliminating asymmetric data risk once an attacker has broken in is to create an enterprise data layer where the data is always encrypted, and the keys are not stored on the servers with the data. To further eliminate concentrations of information risk, data should be compartmented by using different encryption keys. This shifts the current paradigm from massive loss for a small effort by any attacker to de minimis loss for extreme effort by highly sophisticated attackers.

Traditional databases, lakes, and warehouses can't operate on encrypted data without the encryption keys. The records they hold must be vulnerable for them to search. There has been an ongoing search for technology such as fully homomorphic encryption and searchable encryption, but they can't provide the performance and scale required to be practical.

Fortunately, Craxel has invented an encrypted distributed indexing technology that may be the only practical solution for asymmetric data risk. Strongly encrypted records are safely and efficiently organized in this encrypted index, which supports spatial, temporal, key/value and graph query. The encrypted index is searched without needing the encryption keys on the servers and it scales to millions of operations per second. Using a number of techniques, our encrypted indexing uniquely provides strong protections against sophisticated inference and query access pattern attacks. While an attacker may eventually guess something from the index, the potential gain is minimal and the effort extreme. Therefore, the risk is no longer asymmetric. Eliminating asymmetric risk is a game changer for data protection and privacy regulation compliance. If organizations are serious about protecting privacy and confidentiality, they need a fast and scalable encrypted data layer that eliminates asymmetric risk.