RSAC 2024 Innovation Sandbox | Antimatter: A Comprehensive Data Security Management Tool

RSAC 2024 Innovation Sandbox | Antimatter: A Comprehensive Data Security Management Tool

April 28, 2024 | NSFOCUS

The RSA Conference 2024 will kick off on May 6. Known as the “Oscars of Cybersecurity,” the RSAC Innovation Sandbox has become a benchmark for innovation in the cybersecurity industry.

Figure 1: Top 10 Finalists for the RSAC 2024 Innovation Sandbox Contest

Today let’s focus on new hotspots in network security and gain insights into new trends in security development by delving into Antimatter.

Introduction of Antimatter

Antimatter is a data security company dedicated to providing encryption infrastructure for SaaS service providers, offering encryption capabilities for data in store and transit, as well as access control, logging, and privacy protection during data usage. The company’s vision is “to give everyone control over their own data no matter it is.”

Antimatter was established in 2021 and is headquartered in San Francisco, USA. The co-founders are Andrew Krioukov (CEO), Michael Andersen (CTO), and Beau Trincia (VP of Design). Krioukov and Andersen both earned their Ph.D. from the RISELab at UC Berkeley. Krioukov was the founder and CEO of Comfy, a workplace management service company, which was later acquired by Siemens; Andersen is the team’s cryptography expert; Trincia was also a founding member of Comfy and served as a design lead at the renowned design firm IDEO for seven years.

On March 31, 2022, Antimatter secured a $12 million Series A funding round, led by the investment firm New Enterprise Associates, with participation from General Catalyst and UNION Labs.

Figure 2: Co-Founders of Antimatter

Background

With the continuous development of cloud computing technology and the widespread adoption of cloud services, the SaaS model has become the choice for an increasing number of businesses and individuals. However, as the number of SaaS applications grows and user bases expand, the security requirements for SaaS service providers are also increasing. In this model, users may entrust a large amount of sensitive and personal data to SaaS service providers for processing and storage, which increases the risk of data being illegally accessed or leaked. According to the State of SaaS Security: 2023 Survey Report released by the CSA, 58% of SaaS companies have experienced data breaches, and 41% have experienced data leaks.

Figure 3: Data from the State of SaaS Security: 2023 Survey Report

Additionally, the need for legal and regulatory compliance in data storage and processing has become an issue that SaaS service providers must face. To meet the legal and regulatory requirements of certain regions, SaaS service providers may need to isolate some users’ data from other users’ data or store some users’ data in specific locations. These security requirements significantly increase the workload of the development and security teams of SaaS service providers.

Founder Krioukov stated that the most common demands they encountered before founding Antimatter were as follows:

  • Data Residency: Storing data in a specific country or region.
  • Data Isolation: Storing data for one customer separately from that of other customers.
  • Data Governance: Restricting data access permissions.

Therefore, in today’s cloud-centric environment where user data is growing exponentially, how SaaS service providers can ensure the security of user data and meet legal and regulatory requirements has become a critical issue.

How Antimatter Protects Data

What Components Does Antimatter Have?

Antimatter offers a comprehensive and powerful data management tool with the design philosophy that no matter where the data is stored or which system is used, users can manage their data with a unified decentralized data control plane. This data control plane consists of the following three parts:

  • A set of management services that provide users with backend management capabilities for data management, key management, policies, and other settings. By default, users can use the SaaS control plane provided by Antimatter to easily manage their data in a browser.
  • An encrypted object format named “Capsule,” where user data and corresponding metadata are stored. Capsules support the storage of various data formats, including tabular data, dictionaries, map data, and simple Unicode text. Capsules themselves can also be stored in various storage types, such as files, S3 buckets, SQL databases, and vector databases.
  • A set of universal programming language libraries and universal tool plugins. Currently, Antimatter supports tools and libraries including command-line tools, Python, Rust, TypeScript, and provides a REST API, allowing users to develop their own programs to utilize Antimatter.

Antimatter uses “Domains” as the basic unit of an account. Typically, users can log in to their domain through a browser to use the management services, creating one or more data capsules. Most API calls are made within a domain and require authentication based on the identity configured within the domain. A capsule is always associated with a domain, and the read/write policies for the data within the capsule need to be configured within the domain.

Figure 4: Managing Data Access Policies in a Domain via Web Services

How Does Antimatter Manage Data?

Antimatter refers to the rich data management capabilities within a domain as “Data Control,” which includes the following main features:

  • Data Classification: When writing data into a capsule, Antimatter supports the use of an AI classifier to detect and tag personal identity information and other content within the data.
  • Access Control: Users can configure data access policies and various access identities within the domain to ensure that data is only accessed by authorized identities.
  • Data Transformation: When data is accessed, it may be necessary to provide different subsets of data or data formats to different access identities based on access control policies. Therefore, Antimatter provides data transformation capabilities to convert the stored data according to different policies.
  • Encryption: The data within a capsule is encrypted using a three-tier key scheme, involving keys such as the Root Encryption Key (REK), Key Encryption Key (KEK), and Data Encryption Key (DEK). The capsule is encrypted with the DEK, which is then encrypted by the KEK to generate the Encrypted DEK (ENC_DEK). The ENC_DEK and the capsule are stored together. The KEK is encrypted by the REK, which is generally stored externally and can be held by the data owner or data processor (such as a SaaS provider using Antimatter to manage data).
  • Audit Logging: Antimatter provides a comprehensive logging system that allows users to easily query records of which entities accessed which data and which entities changed which policies within the management plane of the domain.
  • Data Inventory: Antimatter provides a list of all capsules, allowing users to view their domain’s data capsules and corresponding information (such as size, tags, creation time, etc.) through web services or programming language libraries.

Antimatter’s Features

From the above introduction, it is clear that the core of Antimatter lies in providing the Capsule, a special object structure that encapsulates user data to facilitate encryption, access control, and other capabilities. The main feature of Antimatter during the data encapsulation process, when interacting with the capsule for data writing and reading, is the addition of rich data processing capabilities.

When a user writes data to a capsule, they can add data processing hooks, one of which is particularly representative: using a large language model to extract personal identity information from the data and perform tagging processing. When reading data, Antimatter can display only part of the content based on access control policies and tagging information, anonymizing unauthorized content. The effect of personal identity information data processing is shown in Figure 4, but Antimatter can do more than that. For the same data with two different access permissions, Antimatter can display different subsets of this data, such as only displaying the name and credit card number for permission A, and the name and password for permission B. In model training scenarios, if different contents of the same data are to be used to train different models, this mechanism can greatly enhance data privacy.

Figure 5: The Effectiveness of Personal Identity Information Processing in Data

In addition, Antimatter claims to have invested a lot of effort in designing its unique encryption and key management scheme. As mentioned in section 3.2, Antimatter uses a three-tier key scheme, allowing users to hold and manage their own Root Encryption Key (REK), meeting the needs for Bring Your Own Key (BYOK). Founder Andersen proposed that they use the enclave environment provided by confidential computing technology to store the Key Encryption Key (KEK), so neither the SaaS service provider nor Antimatter can see the KEK, reducing the risk of key exposure.

Under this key management architecture, an attacker would need to simultaneously steal the REK from the data owner, the encrypted KEK from Antimatter, and the corresponding ciphertext of the KEK from the data storage location to achieve data theft. This architecture reduces the attack surface and increases the difficulty for attackers.

Conclusion

With the growth of cloud-based business needs, the amount of user data hosted by SaaS service providers also increases, and the data security issues that arise are becoming a significant challenge for these providers. Protection measures are required during the storage, transmission, and use of data in the cloud to prevent the leakage of sensitive information. What Antimatter does is not just simple data security protection; its main purpose is to provide SaaS service providers with a simple, unified, and fast data security management infrastructure. SaaS service providers no longer need to access all user data in plaintext; users can decide which parts of their data can be accessed by which visitors. This will greatly reduce the workload of SaaS service providers in the data security aspect and lower their service costs.

Currently, Antimatter has had successful cases, providing a data security solution for Ironclad, a top U.S. contract management software developer, allowing Ironclad’s users to easily configure BYOK and manage their own data capabilities through a simple interface. It is believed that with the continuous improvement of Antimatter, it will become the choice for data security for more and more SaaS companies.

More RSAC 2024 Innovation Sandbox Finalist Introduction:

RSAC 2024 Innovation Sandbox | The Future Frontline: Harmonic Security’s Data Protection in the AI Era

RSAC 2024 Innovation Sandbox | Bedrock Security: A Seamless and Efficient Data Security Solution