A Way to Hide Corporate Data from Hackers
A system that keeps data on corporate computers and mobile devices encrypted until it is viewed may help prevent breaches.
Sensitive personal data is frequently spilled by accident or stolen by hackers.
Social-security and credit-card numbers frequently leak or are stolen from corporate networks—and surface on the black market. Adam Ghetti, founder of Ionic Security, says he has invented technology that could largely end the problem. His software keeps corporate data such as e-mails and documents encrypted at all times, except for when someone views it on an authorized computer or mobile device.
Workers at a company using Ghetti’s system can create and exchange e-mails or documents as normal. But Ionic’s software invisibly encrypts what they type on the fly. If someone tries to load a stolen document on a computer outside the company’s network, they would see only the encrypted data—a jumbled string of letters. “A network breach no longer has to mean a data breach,” says Ghetti.
Ionic’s software never stores the decrypted version of a document on a device’s hard disk. It performs the decryption at the moment a device moves text to its display. The software can be configured to protect certain information within a document from certain users, while leaving the rest unencrypted.
The same approach is used to protect the data entered into the messaging tools Yammer and Salesforce. What employees see is normal text, but to the service provider—or someone who breaks into the service—the data is encrypted.
“We deliver them at just the right time and in the right context that your experience isn’t changed,” says Ghetti. “No key that unlocks the data lives on your device.”
Although Ionic is only launching publicly today, several Fortune 100 companies already use it across their corporate networks, says Ghetti. It works best on PCs, he says, although Ionic is working with companies that make corporate software and apps to add better support for mobile devices. Ghetti says “some multibillion dollar software companies,” are looking to use the software.
Ionic’s technology makes it distinct from more established encryption software, says Mike Gault, CEO of security company Guardtime. “It’s a very nice approach,” he says.
John Kindervag, a principal analyst covering security at Forrester, says Ionic’s model could prove attractive to many large companies. High-profile data breaches, like that at health insurer Anthem, and disclosures about U.S. surveillance practices, have made corporations more willing to spend on new ways to protect the data held inside their networks and entrusted to others, he says.
However, Ionic’s system is not without drawbacks. Because encryption keys are delivered over the Internet, it’s not possible to access information when offline, or using an Internet connection not approved by a company. That’s helpful if you left your company laptop on the subway, but it may prove an inconvenience in some cases.
Ionic also needs coӧperation from many other companies for its system to work seamlessly on all kinds of devices and services. And just like any piece of software, it is possible that malicious code could be crafted to hijack its capabilities.
Keep up with the latest in security at EmTech MIT.
Discover where tech, business, and culture converge.
September 11-14, 2018
MIT Media Lab