RSAC 2024 Innovation Sandbox | Antimatter: a comprehensive data security management tool

read: 7

May 6th

RSA Conference 2024

will officially open

As the “Oscar of Safety”

RSAC Innovation Sandbox (Innovation Sandbox）

Has become an innovation benchmark in the network security industry

under innovation

Together with Mr. Green Alliance

Focus on new hot spots in network security

Insight into new trends in security development

walk intoAntimatter

*RSAC 2024 Top Ten Innovation Sandbox

Company Profile

Antimatter(1) is a data security company dedicated to providing encryption infrastructure for SaaS service providers, providing encryption capabilities for data during static storage and transmission, and providing access control, logging, and privacy protection during data use. and other abilities. The company's vision is that “everyone has control over their data, no matter where it lives.”

Antimatter was founded in 2021 and is headquartered in San Francisco, USA. The company's co-founders are Andrew Krioukov (CEO), Michael Andersen (CTO) and Beau Trincia (VP of Design). Among them, Krioukov and Andersen both received PhDs from RISELab at the University of California, Berkeley. Krioukov was the founder and CEO of Comfy, a workplace management services company. Comfy was later acquired by Siemens; Andersen is a cryptography expert on the team; Trincia is also a founding member of Comfy. One, and served as the design director of the famous design company IDEO for seven years.

On March 31, 2022, Antimatter received US$12 million in Series A financing (2). The investment was led by investment company New Enterprise Associates, with participation from General Catalyst and UNION Labs.

Figure 1 Antimatter founders Andrew Krioukov, Michael Andersen and Beau Trincia

Background introduction

With the continuous development of cloud computing technology and the popularity of cloud services, the SaaS model has become the choice of more and more enterprises and individuals. However, with the increase in SaaS software and the growth of users, the security requirements for SaaS service providers are also constantly increasing. In this model, users may host large amounts of data containing sensitive information and personal privacy to SaaS service providers for processing and storage. This dependence increases the risk of data being illegally accessed or leaked. It can be seen from the “2023 SaaS Security Survey Report” (3) released by CSA that 58% of SaaS companies have experienced data penetration incidents, and 41% of SaaS companies have experienced data leakage incidents.

Figure 2 “2023 SaaS Security Survey Report” data security incident data

In addition, legal compliance requirements for data storage and processing have also become issues faced by SaaS service providers. In order to cope with the legal compliance needs of some regions, SaaS service providers may need to isolate some users' data from other users' data, or store some user data in specific regions. These security requirements have greatly increased the workload of the SaaS service provider's development team and security team.

Founder Krioukov said (4) that the most common needs they encountered before founding Antimatter were as follows:

• Data residency: storing data in a specific country or region;
• Data isolation: Store data separately from other customer data;
• Data governance: Restrict data access.

Therefore, as user data continues to increase in the cloud, how SaaS service providers ensure user data security and meet legal compliance requirements has become a key issue.

How Antimatter Protects Data

What components does Antimatter have?

Antimatter provides a comprehensive and powerful data management tool, and its design concept is: no matter where the data is stored, no matter which system is used, users can manage their own data with a unified decentralized data control plane. The data control plane consists of the following three parts:

• a set of management services
• Provide users with backend management capabilities such as data management, key management, policies, and other settings. By default, users can use the SaaS control plane provided by Antimatter to easily manage their own data on the browser;
• an encrypted object format
• Antimatter names this object format “Capsule”. User data and corresponding metadata are stored in the capsule. The capsule supports the storage of multiple data formats such as table data, dictionaries, map data, and simple unicode text. The capsule itself can also be stored in a variety of storage types, such as files, S3 buckets, SQL data, vector databases, etc.;
• A set of common programming language libraries and common tool plug-ins
• Currently, Antimatter supports tool libraries including command line tools, Python, Rust, TypeScript, and REST API. Users can develop their own programs to use Antimatter.

Antimatter uses “Domain” as the basic unit of an account. Generally, users can log in to their own domain on a browser to use management services and create one or more data capsules. Most API calls are made within a domain and require authentication based on the identity configured in the domain. A capsule is always associated with a domain, and the read and write strategies for the data in the capsule need to be configured in the domain.

Figure 3 Managing data access policies in the domain through web services

How Antimatter manages data

Antimatter calls the rich data management capabilities in the domain “data control”, and its main capabilities are as follows:

• Data Classification
• When writing data to the capsule, Antimatter supports providing AI classifiers to detect and label content such as personally identifiable information contained in the data;
• Access control
• Users can configure data access policies and multiple access identities in the domain to ensure that data can only be accessed by authorized identities;
• data conversion
• When data is accessed, it may be necessary to provide different data subsets or data formats to different access identities according to access control policies. Therefore, Antimatter provides data conversion capabilities to convert the stored data accordingly according to different policies;
• encryption
• The data in the capsule is encrypted using a three-layer key scheme, involving the root encryption key (REK), key encryption key (KEK) and data encryption key (DEK). The capsule is encrypted by DEK, and the DEK is encrypted by KEK to generate ENC_DEK, and store ENC_DEK together with the capsule. KEK is encrypted by REK, and REK is generally stored externally and can be held by the data owner or data processor (such as a SaaS provider that uses Antimatter to manage data).
• Log audit
• Antimatter provides a rich log system. Users can easily query records such as which subjects accessed which data, which subjects changed which policies, etc. on the domain management plane.
• Data list
• Antimatter provides a list of all capsules. Users can use web services or programming language libraries to check which data capsules are in their domain and their corresponding information (such as size, label, creation time, etc.).

Antimatter Characteristics Analysis

It is not difficult to see from the above introduction that the core of Antimatter is to provide a special object structure called capsule, which encapsulates user data to facilitate encryption, access control and other capabilities. In the process of data encapsulation, the main feature of Antimatter is that it adds rich data processing capabilities during the process of interacting with capsules for data writing and reading.

When the user writes data to the capsule, a data processing hook can be added. The most representative one is the hook that uses a large language model to extract personally identifiable information in the data and perform label processing. When reading data, Antimatter can display only part of the data based on access control policies and tag information, and anonymize unauthorized content. The effect of processing personal identity information data is shown in Figure 4, but Antimatter can do more than this. For the same data, there are two different access permissions. Antimatter can display different subsets of this data. For example, for permission A only Show name and credit card number, and for permission B, show name and password. In model training scenarios, if you want to use different contents of the same data to train different models, this mechanism can greatly improve data privacy.

Figure 4 Effect of processing personally identifiable information in data

In addition, Antimatter claims that they have spent a lot of effort designing their own encryption and key management solutions. In Chapter 3.2, we mentioned that Antimatter uses a three-layer key scheme. Users can hold and manage their own root key REK to meet the user's need for Bring Your Own Key (BYOK). Founder Andersen proposed that they use the enclave environment provided by confidential computing technology to store the key encryption key KEK (5), so neither SaaS service providers nor Antimatter can see the KEK, reducing the risk of key exposure.

Under this key management architecture, an attacker needs to simultaneously steal the REK from the data owner, steal the encrypted KEK from the Antimatter, and steal the ciphertext corresponding to the KEK from the data storage to achieve data theft. This architecture reduces the data attack surface and increases the difficulty of attacks for attackers.

Summarize

As the demand for cloud services increases, the amount of user data that SaaS service providers need to host also increases. The resulting data security issues have gradually become a huge challenge for SaaS service providers. Corresponding protective measures are required during the storage, transmission, and use of data on the cloud to prevent the leakage of sensitive information. What Antimatter does is not just simple data security protection. Its main purpose is to provide SaaS service providers with a simple, unified and fast data security management infrastructure. SaaS service providers no longer need to access all user data. In plain text, it is up to the user to decide which part of his data is open to which visitors. This will greatly reduce the workload of SaaS service providers in data security and reduce their service costs.

Antimatter currently has successful cases. It provides data security solutions for Ironclad, the top contract management enterprise software developer in the United States (6), allowing Ironclad users to easily configure BYOK and manage their own data using a simple interface. I believe that as Antimatter continues to improve, it will become the data security choice of more and more SaaS companies.

Reference link

(1) https://www.antimatter.io/

(2) https://www.crunchbase.com/organization/antimatter-d7f1/company_financials

(3) https://cloudsecurityalliance.org/artifacts/state-of-saas-security-2023-survey-report

(4) https://www.antimatter.io/blog/the-founding-of-antimatter

(5) https://www.antimatter.io/blog/what-byok-really-means

(6) https://www.antimatter.io/blog/case-study-how-antimatter-helps-ironclad-meet-the-data-security-requirements-of-fortune-50-companies

Copyright Notice

The copyright holder of all contents of the “Technology Blog” on this site is NSFOCUS Technology Group Co., Ltd. (“NSFOCUS Technology”). As a platform for sharing technical information, NSFOCUS Technology looks forward to interacting with users and welcomes forwarding of the full text as long as the source (NSFOCUS Technology – Technology Blog) and website are indicated.

Any use other than the above situations requires applying for copyright authorization from NSFOCUS Technology (010-68438880-5462) in advance. NSFOCUS reserves the right to pursue liability in case of unauthorized use. At the same time, if any legal dispute arises due to the unauthorized use of blog content, the user shall bear all legal responsibilities and has nothing to do with NSFOCUS Technology.