APPLICATIONS OF TECHNOLOGY:
- Data security and privacy for data containing sensitive information, such as data containing personally-identifying information, proprietary information, and/or other regulated or sensitive data sources:
-
- personal health information, such as health records
- financial information
-
- Secure data storage, e.g., cloud service providers, hospitals/health care service providers, banks/financial services providers
ADVANTAGES:
- Stronger security and privacy, including protection from insider attacks and negligence
- Improved usability
- Scales to HPC levels
- Generality for the programmer/researcher
- Performance comparable to computing in cleartext
BACKGROUND:
Systems have been limited in their ability to provide secure data storage environments due to significant usability issues caused by high security data protection mitigations. Traditionally, there is a required aspect of trust in system administrators and anyone with either network or physical access to the machine or the sensitive data.
A new Berkeley Lab solution increases security while also maintaining performance and usability. This new technology eliminates the risk of trusting the system administrator while reducing the liability exposure of the data center to assertions of security negligence or insider attacks, thus providing significantly greater confidence to sensitive data set owners that the data will not be exposed or altered. Using well founded component parts and techniques, this invention affords the next level of enhanced data security for cloud based service providers.
ABSTRACT:
Berkeley Lab has developed a scientific computing environment that leverages trusted execution environments (TEEs) in combination with privacy-preserving technologies. TEEs protect data through hardware isolation from other processes on the system and encryption of the data in memory and during computation. The Berkeley Lab technology strategically combines hardware TEEs, multiparty computation techniques, and/or blockchain smart contracts. The technology is configured in a distributed manner that enables a more user-friendly approach for handling data storage and retrieval operations.
Within the architecture, sensitive data cannot be computed unless inside the TEE; and, similarly, sensitive data cannot leave the TEE except as permitted by output policies enforced by “data guards” within the TEE. This environment defends against threats ranging from traditional “outsider” attacks to “insiders” with privileged access to computer systems, such as system administrators. The code analyzing the sensitive data does not need to be trusted as it is sandboxed and passed through an output policy.
BENEFITS:
Although this subject invention uses well founded component parts and techniques, this new combination for a solution to an industry wide problem of data security in the big data age has a strong advantage over current technologies. This invention affords the next level of enhanced data security for cloud based service providers which is where the IT market is heading as only they can manage the huge amounts of data being aggregated. As strict privacy is legally required for individuals’ health and financial data the ability to move retention of such data to cloud service operators will reduce IT operating costs for health and financial companies.
- Stronger security and privacy, including protection from insider attacks and negligence
- Improved usability
- Scales to HPC levels
- Generality for the programmer/researcher
- Performance comparable to computing in cleartext
LBL PRINCIPAL INVESTIGATORS: Sean Peisert
DEVELOPMENT STAGE: Proven principle
IP STATUS: Patent pending
OPPORTUNITY: Available for licensing or collaborative research.
SEE THESE OTHER BERKELEY LAB TECHNOLOGIES IN THIS FIELD:
Identifying Computational Operations Based on Power Measurements 2016-053