The PETs category includes technologies that protect, preserve, and enhance data throughout its processing lifecycle — technologies that have been studied deeply for decades. Homomorphic encryption (HE), for example, became broadly recognized thanks to
research published by Craig Gentry in 2009. The timing of the story is similar for secure multiparty computation (SMPC) and trusted execution environments (TEEs). What has changed more recently is the practicality of their broad use at scale. Breakthroughs largely driven by market need and motivation have firmly taken these technologies from the realm of research to commercial readiness. These advances are being driven by a growing ecosystem of VC-backed startups, well-funded research components of global organizations, and academia.
There are
a number of great examples of PETs being implemented at scale today. They are enabling cross-jurisdictional data sharing for Know Your Customer screenings and fraud investigations. They are allowing organizations to privately leverage third-party data assets without pooling or replicating data. They are facilitating more accurate risk assessment modeling by expanding the number of accessible data sources. They are protecting sensitive indicators and speeding time to value for applications at the processing edge. In short, PETs are making entirely new things possible across a growing number of industries by overcoming regulatory, organizational, security, and national boundaries to accommodate secure data usage and collaboration in ways that are not otherwise possible.
The power of PETs lies in their ability to protect data while it's being used or processed — when searches, analytics, and machine learning models are being run over data to extract value. This is different from, and complementary to, other traditional measures that protect Data at Rest, such as in the file system or database, or Data in Transit as it moves through the network. While there are many effective, established solutions for protecting Data at Rest and Data in Transit, if organizations want to be able to safely and privately extract value from data assets, these traditional protection strategies are not sufficient. Further, PETs do not replace existing solutions protecting Data at Rest and in Transit; they work alongside them to protect the final segment of
the data triad, Data in Use.
In an emerging category like PETs, there is a tendency to pit technologies against each other to evaluate which technology reigns supreme. The reality is that these technologies each offer unique attributes and choosing the right ones depend entirely on the use case requirements, infrastructure, and the desired level and type of protection. PETs can, and often do, work together. For example, organizations can use a SMPC capability that leverages HE and vice versa. Or, SMPC and HE techniques can be leveraged in conjunction with a TEE. Organizations looking to utilize PETs should explore all the options available and educate themselves to determine the best fit. Commercial PETs companies, regulatory bodies, industry consortiums, market analysts, researchers, and other third-party groups have a role to play in these efforts to build awareness and enhance understanding. Likewise, those working in PETs space need to recognize and embrace the role we play in educating the market, in helping differentiate the technologies and explaining their often complementary nature, and do so in a way that acknowledges that the adoption of any and all PETs will best serve to address global privacy challenges.
PETs have a long and rich research history and, as such, many PETs are part of an active ecosystem which includes open source research libraries and algorithms. While it is fantastic to have a research foundation upon which to build, it is also important to remember that these elements are not ready-to-use commercial offerings. For example,
HE libraries provide basic cryptographic components, but organizations leveraging them must dedicate engineering, algorithmic, and integration resources in order to mature the basic building blocks into viable, enterprise-grade solutions. Likewise, SMPC libraries offer basic algorithms and TEEs are built into many chips and cloud environments today, however, there is much work and deep expertise required to take these fundamental elements and build practical, commercial offerings to protect Data in Use at scale. That’s the value that commercial PETs software providers bring to the table: deep PETs knowledge and off-the-shelf capabilities that are ready to deploy and use today to solve real problems. The open source research landscape is an awesome tool for advancing innovative technologies and the PETs category has certainly benefited from the efforts of numerous contributors. But, these PETs research efforts are just the beginning of the story. Commercial solutions advance and give these research efforts the ‘wings’ required to add real, measurable value.