There are few things more sacrosanct in enterprise cybersecurity than the mandate to encrypt your data. Be it at rest or in transit, there are myriad ways for an enterprise to lock down its digital information. But what happens when you actually are processing your data?
That’s where Ellison Anne Williams and EnVeil come in. Williams has developed a way to protect data even while it’s in use. The tech, spun up out of the intelligence community, now gives enterprises a full scope of protection.
Williams talked with us about EnVeil, how the company has dealt with the Spectre and Meltdown vulnerabilities, and the ways enterprises can protect the legacy systems that work with their delicate data.
CyberScoop: Tell us a little more about EnVeil and how it fits into the cybersecurity ecosystem.
Ellison Anne Williams: We definitely focus on a very unique area of data security. Within data security, we close a very large gap around securing data when it’s being used or processed.
There are three elements of what we call the “data security triad” — securing data at rest, which is your standard file-based encryption. The second piece is securing it in transit, when it’s moving through the network. And finally, securing it when it’s being used or processed.
Historically the place that you see people creating products in data security has been at rest or in transit. That includes companies like, Gemalto, Thales, etc. We are complementary to all kinds of products and solutions in that space. We partner with companies. In fact, we just announced a partnership with Gemalto. But that’s not our primary focus. There’s a huge vulnerability space even if you do a fantastic job in the other two areas when you go use or process data. Because up until this point, there was no good technical way to address that gap and there really hasn’t been any commercial solution in that space. So we developed some very unique capabilities to lock data down when it’s being used or processed, used it inside of the intelligence community, then brought that out to commercialize in through EnVeil.
CyberScoop: Those partnerships you were talking about, how is that beneficial to the way enterprises are buying and using cybersecurity products?
EAW: I like to be very clear in differentiating between cybersecurity and data security. In the data security world, there are only three areas of data security. As I was mentioning before they’ve been a lot of solutions around making sure that data is secure when it’s sitting in the storage technology or sitting on the file system, or sitting out in the cloud. For example, they’ve been a lot of solutions around making sure that it’s secure when it’s moving through the network, but there’s been no practical commercial solution around making sure that it’s secure when it’s being used.
CyberScoop: The Spectre and Meltdown vulnerabilities have presented a new challenge for enterprises and their concerns with data security. How have those vulnerabilities changed the outlook toward data security within enterprises?
EAW: In the intelligence community where we originally developed some of this core technology, the vulnerability around the usage of data in that memory or processing layer is very well understood. It’s like water. It happens all day, every day, everywhere. But in the commercial space, there’s a lot less awareness of that vulnerability.
Not that it wasn’t occurring, it was, but people were less aware of the problem explicitly. So at the beginning of the company, which was almost two years ago at this point, we had to do a lot of education and in the commercial world around the vulnerability space and the attack surface area. With the public revelation of things like Spectre and Meltdown, it gave a very clear view in a public arena of the vulnerability space associated with using or processing data.
And so for that reason, it just raised a level of awareness around the need to really lock down that element of data security.
CyberScoop: There is so much new tech out there with the advent of the Internet of Things, yet we are still trying to secure so much of our legacy tech. Will we ever reach a balance where things are secure by design that they will stay secure five to 10 years into their use?
EAW: We’re moving more in that direction. But part of the way that we’ve designed our products is with the understanding that those legacy systems are not going away anytime soon.
We not only need to be compatible with the legacy systems like mainframes and things like that where large organizations are storing their data today, but we also need to make sure that we were compatible with the latest and greatest. So we’ve made sure that we can span the gamut with what we productize to make sure that we can provide the usage protection for data.
So not only data stored in things like a mainframe, but things stored out in a more modern kind of storage technology, things like MongoDB, Elastic search, S3 buckets.
CyberScoop: What’s the one thing the greater community can improve upon?
EAW: One of the things that is really critical is thinking about data holistically. What is your security posture in all of those different arenas? What things are most sensitive to you? There’s no one-size-fits-all to data security for each and every organization. Every organization needs to step back and take a look at where their points of vulnerability are and what they need to do to lock it down.
We spent quite a bit of time not only educating people about the usage gap, but also making sure that they think more completely and holistically about their data security within the organization.