Product, Tech/Engineering

Encryption, Deduplication and Making Sense

Recently, I was in a meeting with the CIO of a leading bay area company, when he interrupted my cloud security presentation and said “Encryption, Global Deduplication and Making Sense. You can only choose two of them.” This statement is probably true for 99% of the vendors out there, but it did give me pause for a moment. But then I got a wicked smile on my face, as I began to explain how Druva is different.

A global deduplication algorithm needs not just the hash for the new block but also the information about the existing blocks in their original (non-encrypted) format. Unless the cloud stores the encryption keys it’s simply impossible to deduplicate the data. When other vendors claim deduplication in software or cloud, they most likely either have a common encryption key for all the users stored in the cloud or simply fake deduplication.

At Druva, we took a different approach, developing an innovative concept called “two-factor encryption” which in simple terms works like a bank locker system. Both the user and the cloud have their own parts of the key, and only when the user authenticates, can cloud (in that very session) perform encryption and in-line but global deduplication.

This is how it works : For users, the key is his own password and for each user, the cloud stores a respective unique token further encrypted by the user’s password. So at no point, does the cloud have the full encryption key and is locked out of accessing the data. But when the user tries to authenticate, the password is used to decrypt the token which in turn authenticates him as well. The decrypted token (with some additional details), is then used as encryption key and also used to perform in-line global deduplication.

It works great for enterprises, as no single user or the cloud provider store the encryption key, and yet we are able to achieve secure backup, global deduplication and data retrieval.

This morning I saw an update in salesforce for the same customer. So I think we managed to convince Mr. CIO and the security team in that meeting.