SECURITY
Secure computations
We built the SCRAM platform with security at its core. The platform uses quantum-secure cryptographic protocols to ensure that data stays locked from current and future attacks. You remain in control of your own data and generate your public and private key pair locally to protect your security.
The SCRAM computation platform consists of three main elements: a central server, software clients, and a communication network to pass encrypted data between the clients and the server. The central server manages the data collection from the clients and hosts the core cryptographic software that performs only pre-defined and approved computations on the encrypted data. It is also responsible for piecing together and redistributing the joint public key that clients use to encrypt any data for the computation.
The individual software clients create public/private key pairs on the local machine and enable the input of data, its encryption, and the communication back and forth with the server. The individual clients also play a vital role in decrypting the encrypted result of the computation run by the server. If firms wish to have an additional security guarantee, they can compile the joint public key for the computation individually by using the public keys of every other participant as well as their own. This ensures that the joint public key was generated correctly, that is, the data encrypted with this key can only be decrypted if the firm’s own private key (which it controls) is used in the distributed decryption process. Participants can also perform integrity tests on the computation results.
It was clear that addressing the problem would require a multidisciplinary team to design a solution. We brought together specialists in financial risk, cryptography, and computer security from across MIT to design and build a new platform using cutting-edge cryptographic techniques that could be used to securely and privately calculate aggregated metrics on cyber defenses and loss data, without requiring firms to disclose their own data. This new SCRAM platform provides clarity and visibility on how firms as a whole defend themselves, as well as improves the understanding of the relationship between control failures and financial losses.
You can check out our security overview for more details.
Secure network
The computation requires a network to pass information back and forth to perform the operations on the encrypted data. The only data ever transmitted over the network is either strongly encrypted or is the public key of the clients, which can only be used to encrypt data, not decrypt it. The network uses TLS (Transport Layer Security) for a second layer of encryption to protect the encrypted data in transit. We take additional measures to ensure the security of the network and your data.
Review & audit our code
We believe that firms should be able to audit our code to ensure that their data is handled correctly and safely, so we published the source code for their review.