ADCG Explainer – Polymorphic Encryption
Complying with any data privacy law means, in large part, getting serious about data security. But that’s easier said than done—with cyberattacks increasing in frequency and severity each year, it’s clear that organizations need more than good password schemes and firewalls to ward off bad actors. And that’s where emerging technology has a role to play.
One technique that’s been consistently recommended by cybersecurity experts is data encryption. There are many types of encryptions, such as “encryption-at-rest,” a standard precaution in many industries that the FinTech Times, has deemed largely insufficient—especially in cases involving sensitive data like telephone and social security numbers. As this source claims, traditional data encryption is “usually cumbersome, resource-intensive, and slow.”
Where traditional tactics fall short, polymorphic encryption fills the gaps. This type of encryption permits organizations to separate their data into its component pieces—so that users can decrypt only sections of the sensitive data or—or execute match and comparison operations on the data without decrypting it.
This is similar to homomorphic encryption, which, according to The New Stack, has been “widely considered to be the ‘gold standard’ of encryption” due to its ability to support “arbitrary operations[,]” like multiplication or addition, without requiring decryption. However, there are several significant contrasts between homomorphic encryption and polymorphic encryption.
First, polymorphic encryption allows data to be encrypted in multiple forms, providing those who access it with multiple keys for each function of the encrypted data sets. But homomorphic encryption creates only one single set of encrypted data and provides the user with only one key for decryption. Thus, homomorphic encryption produces a more limited range of data use and, as a result, slower and more complex processing requirements.
Second, the ability to divide data sets into separate components when using polymorphic encryption permits users to act with greater efficiency in encrypting or utilizing encrypted data and increased data privacy and security due to the severability of the potentially sensitive information.
Third, as this article points out, polymorphic encryption can fit into a large encryption scheme because multiple forms of encryption can be applied after polymorphic encryption divides data into component sets.
Finally, because polymorphic encryption only supports operations that the user determines prior to encryption, post-encryption computations tend to be faster than homomorphic encryptions
Polymorphic encryption can provide a significant benefit to industries that need to use consumers’ personal information to conduct their business. This includes financial institutions that need to run consumers’ credit, for example, or organizations that need to conduct ID verification.
* * * * * * *
To read our coverage on the proposed changes to the California Consumer Privacy Act of 2018 (CCPA)—as amended by the California Privacy Rights Act of 2020 (CPRA), click here.
For ADCG’s Breach Report and more news updates discussing: the Cybersecurity and Infrastructure Agency’s alert to federal agencies to 75 new additions to its new Known Exploited Vulnerabilities Catalog; Verizon’s release of its annual Data Breach Investigations; Mexico’s National Institute for Transparency, Access to Information and Personal Data Protection releases an ethical guide for using AI to process personal data; and the decision by some VPN providers to leave India over new law, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Stay tuned for this week’s in-depth discussion on Cybersecurity and Data Governance. Our Podcasts are released every Thursday, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!