Most of the cybersecurity industry is focused on protecting data at rest or data in motion, but what about data in use?
On this week's episode of The Secure Communications Podcast, Enveil founder and CEO Dr. Ellison Anne Williams talks about her company's pioneering work in the field of homomorphic encryption, and how it is leading the charge in the category of privacy enhancing technology.
Listen to the episode to learn how the ability to protect data in use will drive innovation across a range of industries by improving access to information and enhancing collaboration in ways never before possible.
Welcome to the Secure Communications Podcast
Data in motion is complex, chaotic, and unsecure, but the ability to seamlessly communicate is what drives innovation, growth and progress. Discover how the leading minds in the fields of technology, cybersecurity and communications are tackling the challenge of securing data in motion, and gain insights into what’s new and what’s next on the Secure Communications Podcast. Each week, host Kathleen Booth interviews bold thinkers who are developing and/or employing transformational technologies to solve communication security challenges.
In this episode
Dr. Ellison Anne Williams is the Founder and CEO of Enveil, the pioneering data security company protecting Data in Use.
Building on more than a decade of experience leading avant-garde efforts in the areas of large-scale analytics, information security, computer network exploitation, and network modeling, Ellison Anne founded the startup in 2016 to protect sensitive data while it's being used or processed – the 'holy grail' of data encryption.
Powered by homomorphic encryption, Enveil’s award-winning ZeroReveal® solutions provide Trusted Compute in Untrusted Locations™, enabling previously impossible business functionalities for intelligence-led decision making.
Leveraging her deep technical background and a passion for evangelizing the impact of disruptive technologies, Ellison Anne has helped define and advance the Data in Use security space and cultivated Enveil’s capabilities into category-defining solutions that enable secure search, analytics, sharing, and collaboration.
In addition to her ongoing contributions as a cybersecurity mentor and thought leader, Ellison Anne has been recognized as an SC Media Reboot Leadership Innovator Award winner, a Woman to Watch in Security, and a CyberScoop Leet List Honoree.
She started her career at the U.S. National Security Agency and holds a Ph.D. in Mathematics (Algebraic Combinatorics), a M.S. in Mathematics (Set Theoretic Topology), and a M.S. in Computer Science (Machine Learning).
Listen, watch, or read
Want to hear Ellison Anne's insights on how privacy enhancing technology will change the way businesses operate?
Kathleen (00:01): Thank you for joining today's episode of the secure communications podcast. I'm your host Kathleen Booth. And today my guest is Ellison Anne Williams, who is the founder and CEO of Enveil. And I should say, Dr. Ellison Anne Williams.
Ellison Anne (00:19): Only when I'm in trouble.
Kathleen (00:22): Well, welcome to the podcast. I'm so excited to have you here because I'm really fascinated with Enveil's technology. And I'm also, I also just was so impressed to see that the company was chosen as one of the World Economic Forum's Technology Pioneers, which is an incredible honor, especially for a company as young as Enveil is. So with that as an introduction, I would love it if you could tell my listeners a little bit more about yourself and your journey, how you came to found the company, as well as what Enveil does.
Ellison Anne (00:53): For sure. So again, I'm Ellison Anne Williams, CEO and founder of Enveil. So Enveil is about three and a half years old as a company. Before that period of time, I spent about 12 and a half years or so at the National Security Agency and the Johns Hopkins Applied Physics Lab. And then before that, I spent some time collecting degrees. So being a highly technical background female, so PhD in math, pure mathematics, Masters in math, Master's in computer science and machine learning before it was ever the cool thing to do and to be. So that's a little bit about myself. In terms of the company itself, Enveil. So Enveil is a data security company. We focus completely on securing data in use when it's being used or processed. So what does that mean? So if you think about it, the way that people most often will meaningfully use or process data to extract those insights or that information is by running some kind of a search or an analytic over it.
Ellison Anne (02:02): So when we talk about securing the usage of data, we mean being concerned with the security posture of that search or of that analytic as it's being performed. So for example, we can do things like take searches, take machine learning models, encrypt them, and then go run them anywhere. Our software is installed without ever decrypting them at any point during processing. So as you can hear a little bit of in that high level description, this can completely change the paradigm of how and where organizations can securely and privately leverage data assets. And we can talk a lot more about that during our time together.
Kathleen (02:46): Yeah, I'm, I'm fascinated by this because, you know, having worked in cyber for a few years, and I'm not a highly technical cybersecurity expert, but you know, my exposure to the industry, all the conversation that I've heard has always been around data at rest and data in motion. And so this is one of the reasons I was interested in talking to you is, is your focus on data in use, which is this new area, or at least it seems new to me in terms of the attention it's getting. Why, why is it important to protect data in use? And, and is it that data, is it that protections for data at rest and in motion are not enough? Or is there some other reason that that's so critical?
Ellison Anne (03:28): They are different and they are complimentary. So if you think about data security or data period, it has three different states. So three big components of data security. So two of which you've just mentioned, right? So securing data at rest on the file system in the database, that also includes things like access control, for example. So that's one piece of what we call the data security triad. The second piece is securing it in transit. So when it's moving through the network communications. Secure communications fall in that piece of the triad. And then the third piece is what happens to that data when you go use it or you process it in some way? That's that search and that analytic component to it. So three elements. Securing data at rest, in transit and in use. They're all very different but they're all complimentary to each other.
Kathleen (04:22): So what is the risk inherent in not protecting data in use? What, what are the potential compromises that could happen? How could it be used maliciously?
Ellison Anne (04:37): So securing data in use represents a new horizontal commercial market. And I will answer your question via example. So one of the ways that we have been extremely engaged is in the financial services vertical, and specifically in the area of enabling secure data sharing and collaboration between two banks and across different jurisdictions that have privacy and secrecy regulations associated with them in a large multinational bank. So if you think about securing the usage of data, in terms of securely sharing and collaborating with data, say you've got a large bank and they have one jurisdiction in the UK and another one maybe in Singapore, and they want to be able to check and see, I see this customer, her name is Christina. She's coming to be onboarded at my UK branch of my bank. I want to know if any of the other jurisdictions in which my bank operates know anything about this individual at all.
Ellison Anne (05:42): But the issue is that looking for Christina and her information associated with her, like her place of birth or address things like that are actually very protected and regulated pieces of information. So they can't just be exposed in a Singaporean jurisdiction, for example. So we can take that inquiry or that search for Christina in the UK, encrypt it within the walls of the bank, send it over to the Singaporean branch, for example, and then have that search run without ever being decrypted in that other jurisdictional environment. Meaning none of that UK regulated and protected information is actually ever exposed out of the UK in the Singapore jurisdiction, but it can still be processed in its encrypted state. Encrypted results are produced as they're sent back to the originator in the UK where they can be decrypted and further consumed. So that bank over in the UK can obtain the insights from a jurisdiction like Singapore using very sensitive, protected information in the UK without ever exposing it outside of those walls. So that's why it's so important to protect data while it's in use, because it is business enabling, opening up these use cases that were never possible before.
Kathleen (07:03): So is it effectively a, well, let me back up, it sounds as though for this to be put into place, it requires probably what is an incredibly complex set of rules. In other words, governing what data can be seen by who. Would that be accurate?
Ellison Anne (07:24): You always want some access control on your data. That's back to the data at rest portion of that. So for us, we're going to respect whatever access controls and access provisions and auditability provisions that, that data owner, no matter who they are, bank, healthcare organization, et cetera, has put in place for their data. And that's very, very important. So are there a lot of governing pieces that are required? Not really. But there are some, and those already exist within those types of regulated environments and we overlay and respect all of those governing elements in order to enable this kind of, for example, secure data sharing, to occur in this completely decentralized way. So in other words, data stays in UK. Data stays in Singapore and you still allow the usage of it while still complying with all of that governance. That's dictated by the regulatory bodies in those jurisdictions.
Kathleen (08:23): So this also sounds like it would have some potential applicability in, for example, healthcare with patient data. Is that an industry that you're involved in or you foresee being involved in?
Ellison Anne (08:36): I think there's tremendous opportunity within healthcare under that macro umbrella of secure data sharing and collaboration because health data is extremely sensitive. And when you start talking about getting a good global picture of what's going on from a health standpoint, in terms of diagnosis or development or things like that, then sharing that data is very, very important. But because of the sensitivities, you can't all combine it in one place because where would you put it right? Or regulatory standpoint. So being able to leave it in its originating location. So in a completely decentralized way, however, still allow it to be used and derive those insights in such a way that respects the security and privacy of those patients over that health information and the regulatory bodies within those countries is very, very important. And it's an excellent business enablement of a secure usage of data.
Kathleen (09:32): Yeah, it sounds to me like it, it changes the world that we live in from a, from a binary world in which you either have access to the data or you don't, to a much more nuanced place where you have access to just those portions that you need while never taking ownership. Does that makes sense?
Ellison Anne (09:52): Yes, that's correct. It opens up a whole new world of what is in the land of the possible today in terms of leveraging that data, wherever it may live, in its fullest form.
Kathleen (10:05): So you call this homomorphic encryption, correct?
Ellison Anne (10:10): So homomorphic encryption is what powers our capabilities. So homomorphic encryption, I'll define it for you. It's very actually simple in definition, but it's very powerful, which is why it's often considered to be that Holy Grail of encryption. But homomorphic encryption allows you to perform computations in the encrypted domain or cipher text space as if it's in the un-encrypted world or the plain text space. So for example, using homomorphic encryption, if I encrypt the number three and I encrypt the number two and I multiply those things together, and then I go decrypt that product, then I get the value of five on the other side. In other words, something meaningful when I go decrypt it, if you take any other type of encryption, say AES 256, and you encrypt three and you encrypt two and you multiply those things together and then you go decrypt it, you get absolute garbage. That's the power of homomorphic encryption. So in concept, it's very simple.
Kathleen (11:18): Why has this not been available before?
Ellison Anne (11:22): That is a great question. So homomorphic encryption is not new. It's been around about 35 years at this point, but it's been up to probably about five years ago, four years ago when we started the company. Computationally, impractical. So possible, but not practical. And so being possible is not good enough, right? For commercial use cases to really add that business value, it actually has to be practical, practically usable. So, breakthroughs that we had in homomorphic encryption and the way that you leverage homomorphic encryption took it from the land of the impractical to actually being ready and practical today for a wide range of use cases.
Kathleen (12:08): And is this something that has been used in, historically, was it used in the government more because of the difficulty of commercializing it or, and is it now only just being commercialized? In other words, or is it, are we taking something that has been in use and bringing it to the private sector or is it really new to government as well?
Ellison Anne (12:23): Well, historically it's not been computationally practical for really anybody, okay? So if it's not practical, it's not going to be used very effectively. However, because of its power, and I only gave you one use case and we talked about financial services a little bit, a little bit about healthcare. We could go on for a very long time about how this is paradigm shifting in a number of ways, but because of that kind of power, it's been pursued for a long time. So it's been a very active area of research in the community for many years, trying to drive it toward practicality, because wow, if it were practical, I think of all the things that you could do, which is exactly what we're doing as a company now. So was it in use? No. Were people actively really trying to work on it? Absolutely. Yes.
Kathleen (13:16): So whenever we talk about encryption, one of the questions that comes up is how hard or easy is it to break that, correct?
Kathleen (13:25): Especially, you know, just did one of my last interviews. I talked to Ron Gula about quantum computing and how it's not here yet, but it will be at some point. And so these are things we need to be thinking about now as we encrypt data. So when it comes to homomorphic encryption, how, how strong is it? Is it something that, that will be able to live on through the quantum computing age and, and what do you see in the future as far as its applicability?
Ellison Anne (13:51): So there are many different types of homomorphic encryption, and they are extremely secure. So nation state level secure. And there are a variety of ways that you can ensure that to be the case. So that's the first answer. The second, in terms of quantum, there are types of homomorphic encryption that are lattice based cryptography and that those are believed to be quantum resistant. So, yes.
Kathleen (14:19): Okay.
Ellison Anne (14:20): All good on the security of HE.
Kathleen (14:22): Checking that box. Right. so, so you mentioned there are so many different ways this could be used. I would love to hear, when you think about what gets you most excited when you get up and go into work, and you think about the possibilities or how this could be used in the future, what, what are you most excited about?
Ellison Anne (14:37): Well, gosh, many, many things. So we've talked about security, enabling secure data sharing and collaboration. I think that that is extremely, it's also extremely horizontal. So that could be financial services. That could be healthcare. That could be clouds. That can be oil and gas. Anywhere you have data and you want to share and collaborate in a way that respects the security and privacy. This allows that to be possible in a way that was never possible before. So that's extremely exciting. A Use case umbrella that we haven't talked about that I think is particularly exciting is in enabling secure data monetization because it's creating new revenue streams. So large enterprises organizations are always looking for ways to create new revenue, and that's never more true than today. And so one of the ways that they did that is they often look internally to their own data assets and say, how can we create new revenue streams on top of our data assets? In other words, monetize them.
Ellison Anne (15:40): And then the next question that comes after that is, okay, well, how would we do that in such a way that would respect the security and the privacy of those underlying data assets, as well as the security and privacy of the users of the monetization platform that we would create? And typically, that's where it stops because there, there really aren't great ways to do that for certain types of data. However, we enable that with these kinds of capabilities, for the secure usage of data to be uniquely possible. So opening the door for these new revenue streams, and enabling secure data monetization, I think is extremely exciting as well.
Kathleen (16:21): That is really interesting. And I've worked with several different companies that, that are commercializing data or selling data. And, and it sounds as though this is something that could really be built into to their platforms, but then also, what I find intriguing about it is that it opens up new possibilities for even pricing structures. You know, how you set up access to data platforms and, and giving more discrete options for people to, or to purchase in to specific segments of the data that are most applicable to them, as opposed to buying a prepackaged tier or offering and having data that maybe they don't need, but that's just part of the package. Does that make sense, is that, is that a possible use case for it?
Ellison Anne (17:13): So in terms of being a data aggregator we certainly don't do that as a company. And secure usage of data doesn't equal that aggregation. That's, it's something complimentary but a little bit tangential. I think what it does enable in the world of data aggregation or data lake or data marketplace is a decentralized form of that. So, and, and instead of having to centralize all of the data for a data lake, a data marketplace, you can leave it in its points of origination, which respect those kind of regulatory requirements or sensitivities around the creation of data, and then push your utilization of that data, your search, your analytic out into that data location in such a way that the security and privacy at all points is respected. So I think it allows and enables a different fabric and structure for a data lake that ultimately allows you to have better usage and utility and a richer type of insight that you can derive from the data resources that would be available in that platform.
Kathleen (18:26): How accessable is the technology to the marketplace? Meaning, is this something that you need to be a very large, you know, Fortune 100 company to use? Or, or, and I guess my question is really in two parts, how accessible is it now? And eventually how accessible do you foresee it becoming?
Ellison Anne (18:41): So it's extremely accessible today. So what we do is provide lightweight software applications. So in order to secure the usage of data, you deploy our software applications, we integrate with several things very easily and through API. And basically that's it, it's away you go. And it's GA and it has to be JLL on time and all kinds of certifications associated with that software. So today it's very easy. It's very GA. You can buy it, et cetera. Now in the future the, the vision is of course, as you create this new commercial market for the secure usage of data, securing data in use because either where the tech doesn't exist at all, or it doesn't exist in a practical form, which was the case with ECI, nor does the commercial market. So the minute it exists in a practical form, now we get to have the privilege, the challenge, of creating this new commercial market securing the usage of data. And so the end state vision of that is eventually, these capabilities become ubiquitous because it's the way that you do share and collaborate. It's the way that you effectively monetize data resources, et cetera.
Kathleen (19:55): It also seems like the regulatory frameworks around the world are driving in this direction. Increasingly. I mean, when I think about Europe and some of the privacy regulations they've been putting in place, and we have States like California moving more in that direction here, I feel like this is the way the world is going. And, and you're so well timed to be able to enable it more effectively, particularly for organizations that, that span multiple jurisdictions, if you will.
Ellison Anne (20:19): Correct. And the regulators are really leaning into this in the commercial world and in particular in financial services. So the FCA, financial conduct authority, which is the regulator out in the UK, put on a, ran what they call a tech sprint, which is a really collaborative effort between banks and innovative companies with new technology solutions around a specific problem set. So for the FCA, they had a tech sprint last summer that was centered around privacy enhancing technology. So privacy enhancing technology is just an umbrella term for a family of technologies that enable and enhance privacy while you are using or processing data, securing the usage of data. Homomorphic encryption is one of those secure. Secure multi-party compute is another. Trusted execution environment. Enclaves is another one. Those are kind of the main three that you would think about, but they recognized the power of privacy enhancing technologies of homomorphic encryption and said, Hey, can we explore and develop solutions in conjunction with the banks around
Ellison Anne (21:30): how can privacy enhancing technology solve major problems in the money laundering world? Because that problem represents 2% of our global GDP. So it's a big problem space. And so they put on the tech sprints and we solutioned for, along with HSBC and Barclays and ING and E and Y and Definitive, the KYC CDD use case. So know your customer, customer due diligence. So it's that use case that I just gave you earlier, where you've got somebody that walks up to a bank and they want to onboard, and who are they? Like, how do you do due diligence on them and make sure that they are in fact reputable? They're not trying to launder money through your system. So we solutioned for that use case. We won that use case out in the UK for the FCA simultaneously FINSIN. So are you talking about regulator in the US ran a tech sprint around privacy enhancing technologies? We also won that use case. So why do I say that? A couple of things. One of course, it's a testament to the fact that our capabilities are very powerful and impactful in that use case. But two, you see direct regulator lean in around embracing these new technologies that are now ready for mainstream and that are now in a practical capacity.
Ellison Anne (22:45): You mentioned the World Economic Forum at the top, right? We were just named. I can't forget that. Right?
Kathleen (22:51): It's amazing.
Ellison Anne (22:53): We were just named by the World Economic Forum to be one of their 2020 Technology Pioneers. And that's a huge honor for us because they selected a hundred companies globally. It's a two year honor, by the way. So a hundred companies globally, only six of which were cybersecurity, security companies. And out of that six, we were the only company solutioning around privacy enhancing technologies to secure the usage of data. So huge, huge honor.
Kathleen (23:22): Yeah. And it really speaks to not just the commercial potential of the business, but really the geo, the geo political and economic impact that you can have around the world, which is why I was so interested to learn more about it. It's, it's fascinating. It really is. And, and it does seem as though the potential for changing the way organizations do business, changing the way governments streamline information sharing, I mean, talk about a huge challenge that has not yet been solved. Filling out the same form a thousand times across different parts of our government. I mean, I think even now in a time like COVID-19 when you have people filing for unemployment and, and, you know, facing days of, of wait times to file their forms. And I just, my head is sort of exploding with, if this were something that were already in place, how could it have really changed our experience in the last several months and streamlined the ability for people to, to file unemployment and get paid quickly?
Kathleen (24:20): I'm sure there are thousands more use cases, but that's one that immediately springs to mind that's a pain point for a lot of people right now. So it's great. Well, changing gears for a minute. Outside of the work you're doing with Enveil and outside of homomorphic encryption, and some of the things that you're doing with data in use, with the way that we communicate and manage data changing so quickly in the world that we live in today, what do you see as the biggest challenge that we're going to face in the next few years?
Ellison Anne (24:53): I think the biggest challenge we're going to face, and it dovetails back into, of course, what we're seeing, is around the global demand for privacy and the regulatory requirements that are following that. Because if you talk about anything with data, with communication, with storing it, with using it, you have to respect the privacy implications of that. And that's never more true than today. And we've never seen it grow with the same rate. And so that has implications for how you communicate, how and where you're able to store data with that, a residency and localization types of requirements. And then finally, you know, how you use data. So I think that surge of privacy and the regulatory requirements that are following that are going to change everything
Kathleen (25:47): Now, outside of Enveil also, are there any particular companies or individuals that, that you think are doing really interesting or forward-thinking work in the area of privacy enhancing technologies?
Ellison Anne (26:01): Hmm. That is a good question. And we've certainly seen people start to solution in this space. So one of the ways that we know that we are succeeding in creating this new emerging commercial market, because when we started the company three and a half years ago, we looked around and guess what? It's only us, right?
Kathleen (26:23): You can't have a category of one, right? There needs to be an ecosystem.
Ellison Anne (26:26): It's really only on us. We were the, this was, this was never more apparent than the RSA Innovation Sandbox back in 2017. So we were the youngest company ever to be in the Innovation Sandbox. And so we thought, well, this is a great opportunity at the very least to get up and tell our story at the Sandbox. But typically, companies are where we are today or later, a little bit later stage before they ever make it into the Sandbox. So we made it in and stood up there and said, Hey, we've got breakthroughs. And this really powerful capability called homomorphic encryption, the Holy grail of crypto, it's going to change everything. And everybody went, wow, they're, they're the only people saying that.
Kathleen (27:08): Is it real?
Ellison Anne (27:08): Is it real? Does it work? That can't possibly be true? It sounds like magic, right? It's not magic. It's just math, but it was that journey.
Ellison Anne (27:17): So now it's very different. So homomorphic encryption, it's, it's very buzzy. Privacy enhancing technologies are, are important. They're recognized. They're breakthroughs in them. They're practical. And so as a result, we're seeing a landscape of people solutioning around it. And to us, that is an extremely positive sign.
Kathleen (27:37): So any, anyone in particular stand out?
Ellison Anne (27:42): Not to me yet. No.
Kathleen (27:45): All right. Well, we're going to have to keep our eye on that then, and maybe I'll come back to you in a few months or a year, and we'll, we'll see if that changes. That's how, you know, the category is really firming up. Right?
Ellison Anne (27:53): There you go.
New Speaker (27:56): Alright. Well, thank you so much for joining me this week. It's been fascinating. I'm really, and I can't wait to see where you go with this and how it honestly changes the world around us. And if you're listening and you enjoyed this episode, of course, please consider leaving the podcast a review on Apple Podcasts or wherever you choose to listen. We want to hear from you. And if you have an idea for a future episode, please Tweet us at @attilasecurity. Thank you so much, Ellison, and this was really interesting.
Ellison Anne (28:25): Well, thank you for having me. I appreciate it.