Connect with us

Hi, what are you looking for?


Cloud Security

StrongSalt Eases Pain of Searching Encrypted Data in the Cloud

StrongSalt Helps Customers Gain Compliance Through Searchable Encryption for Cloud Services and Enterprise Applications

StrongSalt Helps Customers Gain Compliance Through Searchable Encryption for Cloud Services and Enterprise Applications

Encryption is often described as the best defense against hackers, and the strongest solution for compliance with GDPR, CCPA and other data protection and privacy laws around the world. 

But encryption is hard on two counts. First, while peer-reviewed cryptographic algorithms are strong, their implementation is often poor. As long ago as 1997, cryptographer Bruce Schneier warned that cryptography is harder than it looks because the systems using it are designed by engineers who think of cryptography as just another component. “Under pressure from budgets and deadlines,” he wrote, “implementers use bad random-number generators, don’t check properly for error conditions, and leave secret information in swap files.” Nothing much has changed.

StrongSalt LogoThe second issue is the usability of encrypted data. Data scrambled to be unusable by cybercriminals is equally unusable by the company owning the data. For these two reasons, many companies who know they should encrypt their users’ personal data simply do not.

There is a solution to the second issue called ‘searchable encryption’. This is a special subfield of cryptography that has been around since 2000 — but it has its own difficulties. These are it is generally difficult or costly to implement, and is then slow in operation. “Existing systems can achieve what they claim to achieve,” Ed Yu, founder and CEO at StrongSalt, told SecurityWeek, “but they’re just too slow.”

These are the encryption issues tackled by StrongSalt, founded in 2015 by Yu, who was formerly the founding engineer at FireEye. The chosen route has been to develop a Privacy API platform to make implementing searchable encryption easy. Just as Stripe adds payment functionality and Twilio adds CMS functionality to third-party apps, so StrongSalt offers the ability to add searchable encryption to any app using any storage for any company.

The product was announced at the AWS re-Invent 2019 conference in Las Vegas. “We’ve been working on it for four years,” Yu told SecurityWeek, “and have a number of our own patents. We’ve achieved what we think is the perfect balance of security and usability. We can allow anybody who needs their data to be completely private through encryption, but simultaneously needs to search and process it, to be able to do so. All they need is the right search keys and they don’t have to decrypt it. Encryption,” he continued, “becomes transparent to the owner, but only to the owner.” Anyone else just sees the garbled data.

The purpose is to remove the friction that accompanies the use of encryption, whether that’s managing the keys or processing or sharing the data. The prime function — the ability to process encrypted data — can be achieved in either of two manners, which Yu calls the naive and complex routes. “Since you can now search your encrypted data,” said Yu describing the naive approach, “you can now locate exactly the data you wish to process. So, from a huge dataset, you can pinpoint the precise subset that matches a query — for example, all the data on a specific customer.” From here, the approach is to decrypt and process just that subset.

Advertisement. Scroll to continue reading.

The complex method is complex only in that it requires the IT team to incorporate the StrongSalt API into the way they process data. “Our system works with an encrypted index,” explained Yu. “When we search on this, based on its mathematical properties, we can search without needing to decrypt it. The structuring of the index allows direct processing on the encrypted data.”

Key management is an important and sometimes difficult part of encryption. StrongSalt provides two options. In some cases, the customer wishes to keep full control of its own keys. “But we can make it easier,” said Yu. “We can help the user rotate the keys, make backups of the keys (all encrypted so we never see them), and we do this through the API. So, the customer controls the keys, but we help with that control.”

The second option is to offload key management to StrongSalt. “We encrypt the keys and keep them fragmented. The master key is protected by hardware. From the master key we generate other keys, the sub-master keys, and from them we generate the encryption keys. This allows multiple layers of encryption for the keys, each of which can be stored separately.” This is all hidden from the customer, who doesn’t need get involved. 

The StrongSalt API is storage agnostic, and will work with any storage already specified by the app. So, if a customer uses and wishes to continue using Box, or AWS or Azure, it can do so. However, “in some cases,” continued Yu, “the customer chooses to use our own storage back-end.” This comprises storage within multiple cloud providers. 

“In these cases,” he said, “we use blockchain to chop the data into many different pieces and then use an algorithm to disperse it around different cloud systems. Blockchain is used to keep track of all the different pieces so that the files can be reconstructed when needed.”

Blockchain is also used to keep audit records, where data sharing, opening, creating, deleting and moving are recorded. “We can verify and audit all such actions in an immutable blockchain journal.”

But seeing is believing, and Yu understands this. For hands-on demonstration purposes, he has created a StrongSalt stand-alone app for Android and iOS. Called StrongVault, this is available free of charge from the official stores. Not only is it free of cost, it is free of all other encumbrances. Users do not need to register or provide any personal information. Encrypted data goes straight into the StrongSalt storage back end, and since StrongSalt has neither user details nor encryption keys, it knows nothing about the user nor the data. While this was developed as a demonstration of the StrongSalt Privacy API for enterprises, it is effectively also a gift to consumers who might want searchable encryption for cloud-stored sensitive data from their phones and tablets.

Related: Data Security Startup Enveil Unveils Homomorphic Encryption Platform 

Related: Hadoop Data Encryption at Rest and in Transit 

Related: MongoDB Introduces Client-Side Field Level Encryption to Aid Compliance 

Related: US Attorney General Says Encryption Creates Security Risk

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...