“We think this is an empowering approach to data security”: meet LORCA member Kinnami //14.02.20
Kinnami, which is a member of LORCA’s fourth cohort, has developed a next-level encryption product called AmiShare, which breaks data down into tiny fragments – each with its own key. To get a full picture of sensitive information you’d have to access and then decrypt each fragment individually – a big task even for the most sophisticated and dedicated hackers.
AmiShare could also change the culture surrounding data governance. It allows an individual person – who may or may not have an IT function – to be an admin and assign access as they please, creating a bespoke web of security walls that can be put up or taken down quickly. This is particularly useful in a corporate setting where a company wants to encourage collaboration without allowing sensitive data to get into the wrong hands.
Looking ahead, the company has product development ambitions that could help put individual consumers in the driving seat of their data – and challenge the current power dynamics entirely. We spoke to Sujeesh Krishnan, CEO of Kinnami, to find out more.
How does AmiShare protect data?
Our technology is a distributed secure storage platform that allows people to organise, view and use their data files without having to account for where the files may actually be stored. Meanwhile, admins manage the dispersed storage of data at random endpoints, including removable devices, servers, data centres or the cloud.
When someone tries to access a file, AmiShare determines the fragments needed to satisfy the access request and then identifies the best place to get the fragments. These are then decrypted and recombined to make up the file.
It also creates a snapshot of the particular file version, which is available to whoever created it. It can determine exactly which version of a file was accessed, who accessed it, the storage location and the access location. This means that if there is a breach, you can determine exactly what was breached rather than relying on arbitrary file names.
Why is this a more secure approach to encryption?
Our approach to encryption is to break up documents into fragments and encrypt each individual fragment. So if somebody wants to get in they have to get encryption keys for each fragment, which is a lot harder than just having to get a single key. And even if they get one key, all they’ll really have is a fragment of information that could be meaningless on its own.
And how important is encryption when it comes to an organisation’s overall security strategy?
Fullproof security doesn’t exist. And besides, encryption is just one tool to provide security. It’s almost always necessary but not enough on its own. You need proper authentication of the identities participating in the information exchange, as well as auditing, to prevent denial of access attempts.
What are the potential applications of AmiShare for industry?
Any system that requires data to be stored on multiple machines could benefit from this, but we’re targeting enterprises that need to store and exchange particularly confidential data when collaborating, especially in regulated industries like financial services, healthcare, legal, consulting, supply chain management, government, the military, academia. It’s also useful for IoT connected devices where data sharing is inevitable.
But how safe can data ever be from decryption techniques, even in scenarios like healthcare where the data is especially sensitive?
Some encryption algorithms can be broken more quickly than others, so yes encrypted data isn’t always 100% foolproof.
There’s also a fundamental problem with data centre storage, whether in the cloud or a private server, because the information has to be sent across a network and is decrypted in the process. This makes files vulnerable to being attacked or read by a server admin.
In a health setting, for example, patient health records and other confidential information could be read by someone that the patient doesn’t know because the patient doesn’t control the encryption keys (if there are any) being used to protect them.
“The public is slowly becoming more aware of data governance issues in the wake of high-profile breaches”
So how could AmiShare be used in a scenario where there’s particularly sensitive information?
Our solution transmits data when it’s initially created and when it’s read using an encryption key that’s only known to the person who created it. Server administrators can administer where the data’s stored, distribute it and ensure there are backups for disaster recovery, but they can’t actually read the data unless they’re given explicit permission.
This is enforced by an auditing system that thoroughly records the access history of data. We think this is a fundamentally a better way to protect someone’s most private information.
Do you believe a person’s data belongs to them, and that they should be in control of it?
It’s a complicated question. From a user perspective, we’re able to give individuals more control over who sees what, and when.
Going back to the health example, who really owns the patient’s confidential information? If it’s the patient, shouldn’t they control its access?
Or in a business setting where a company is in the midst of a merger or acquisition process, executives will want to protect confidential company information from others in the organisation – including the IT team, who typically have access to everything. Our solution allows for these nuances: an executive can enable IT to fulfil its role while deciding what information snapshots they see.
In effect, it allows people to control who has access to critical information, monitor usage and adjust that sphere of access as they see fit. We think this is an empowering approach to data security. But whoever has control, it should not be ambiguous.
How simple is this for people outside of an IT department to use?
In an enterprise setting, the admin is able to track usage, do more complicated analysis and control access. They can delegate control and essentially break up the problem by assigning access to users. This helps break down some of the complexity.
As for the user, the front end is very simple: it’s just another drive on your computer and there are no new tools to learn.
What about the individual, is the solution easy for someone outside of a business setting with minimal technical knowledge to grasp?
Our focus so far has been on enterprise security so the interface as it stands now is probably not ideal for individuals. But in time, that is the goal: we want it to be simple enough for anyone to be an admin.
Are individual people starting to crave this level of control, or is that cultural shift a long way off?
The public is slowly becoming more aware of data governance issues in the wake of high-profile breaches. There’s more concern about monolithic corporations holding people’s data, especially when personal information like social security numbers are breached or you see companies like Amazon and Google monetising people’s data. Right now, people have very little control over access.
My sense is that over the next three to five years, levels of public awareness will grow – leading up to a groundswell. But we do need more awareness building and education aimed at the consumer market for demand for personal cybersecurity solutions to rise. At Kinnami, we’re particularly interested in partnering with companies in industries like health, banking and insurance to lead this movement together.