Indigo Vault, WTW’s new document protection platform, passes its first conceptual stress-test

September 18, 2024

Senior leaders from the Indigo Vault team took the stand at a RANT roundtable in London as a group of senior cybersecurity experts gave the quantum-busting concept a detailed cross-examination.

Assessing the effectiveness of a cybersecurity technology product or service is difficult. You can’t measure an absence of data – but that’s all you’d have if the objective is to prevent adversaries accessing a network, planting malware or exfiltrating data. Perhaps the only way to work out how useful, viable and reliable a new security tool will be is to deploy it, use it and monitor its progress in your own organisation. This is exactly what WTW did when the company came up with the idea for Indigo Vault, which it developed internally as part of the multinational insurance broking giant’s efforts to futureproof their business by leveraging the benefits of – and combating the threats presented by – quantum computing.

Statements of case

“If we go back five years, Microsoft had just started with quantum,” WTW’s CIO Mark Beardall told a select, high-level group of senior security leaders from numerous different industries during a roundtable discussion in London, organised by the RANT cybersecurity events group. “We wanted to find out if there was a way of using quantum computing to predict the economy and outsmart the competition. What came out of more than a year’s work was that quantum computers, when they arrive, will be great for some of the modelling. But the big takeaway for us was how good they are at breaking encryption.”

It was a sobering moment for a company with centuries of history and vast troves of confidential and highly sensitive data it stores not just for internal and proprietary reasons, but on behalf of tens of thousands of clients worldwide.

“We realised that, when quantum computers are readily available, all the secrets of today are gone,” Beardall said. Adversaries, they realised, may not be able to break encryption today: but if the information’s sensitivity and value isn’t limited to a short timeframe, those attackers can simply steal the encrypted files now, and read them in a decade when quantum technology provides the key to unlock them.

The reaction within the company was immediate and significant. Beardall got a call from his boss, at 11:42 late one December night, authorising significant internal funds to find a solution. As Beardall noted, it’s one thing to lock down data held on a server; the real risk resides at the points where people have to interact with it. So the solution had to protect data not just while at rest, but also while in transit and while in use.

Using some ideas and technologies already developed in-house, including some patented digital-security techniques, they came up with what is now Indigo Vault – an always-on, quantum-resistant document protection platform which users can activate to protect a document using a single click in any Microsoft Office application. The big question was: would it work?

Assembling the evidence

Beardall and his team rolled the solution out internally, which was no small endeavour. WTW represents a challenging use case for any enterprise-wide security tool. The firm has over 40,000 users based in offices in 136 countries, with a range of company-owned and third-party/cloud infrastructure providing its digital backbone.

But the company was ahead of the quantum-computing curve, so had time to test the system’s usability and efficacy without putting day-to-day operations – or data – at risk. It was time they put to good use.

“We’ve used it for two years, and we’re happy with it,” Beardall said. “We’ve taken the pain out of version one.”

The natural next step was to offer the system’s benefits to other users. So WTW have turned it into the Indigo Vault document protection platform, which was launched publicly in mid-September. The RANT roundtable gave its select audience a sneak preview of the product – and Beardall and colleagues invited their guests to stress-test the concept. The questions came thick and fast.

Arguments for the prosecution, witnesses for the defence

The first challenge came from Paul De Luca, global head of cyber risk and resilience at Hewlett Packard Enterprise, who co-hosted the discussion on behalf of RANT. He pointed out that a technology like Indigo Vault may carry the seeds of new threats in its conceptual DNA. He suggested the tool was like a firearm: they can be used as defensive equipment, and in some situations they may well be essential – but the exact same technology can also be used to do bad stuff.

“If I click once and the document is tied up, that’s great,” he said. “But how do I know whether I should encrypt it or not? What’s in scope? How do you decide?”

Partly, the security experts around the table suggested, those decisions over priorities would be ones each different business would need to consider for themselves, the dividing lines left for individual client companies to decide where to place. But there was widespread approval of keeping the process simple to use. Lee Marmara, WTW’s product owner for Indigo Vault, acknowledged that this had been a live discussion during development.

“The biggest challenge we face is that top level of security,” he said. “If there’s friction, users won’t use it – but if there’s no friction then you’ve lost the security.” The company, he added, had worked hard to find what they felt was the right balance.

Beardall agreed that there were risks in over-use of the tool, but pointed out that this could offer another advantage: if a document is encrypted in Indigo Vault, it can’t be crawled by any internally running AI system, thus reducing the risk of accidental leakage of proprietary information or sensitive data when that AI system was used to help write documents for external publication.

Next, the CISOs around the table wanted to know how WTW was backing up its claims that Indigo Vault will perform as advertised. “How,” one of them put it, “do we know it’s going to work post-quantum when we’re still pre-quantum?”

Sean Plankey, the firm’s global leader of cybersecurity software, explained how WTW has baselined its performance and encryption characteristics against standards developed by NIST. This is an ongoing project: Plankey noted that one of the first quantum-resistant algorithms developed, in 2017, proved robust against quantum computing but couldn’t withstand traditional computing. By 2021, though, an algorithm resistant to both was published; in August, a second arrived.

“These are the ones we totally believe are quantum-resistant,” he said. “Have they been tested in quantum environments? That remains to be seen. But the mathematical principles are said to be quantum-resistant.”

Source code for the first algorithm has been published and examined, Marmara said. Relying on NIST’s certified algorithm may not answer every possible question quantum technology will raise, but it represents the best available solution now. Used as part of a layered suite of protective capabilities, the company is confident that Indigo Vault will be effective.

“We’re ahead of the curve,” Marmara said, noting that Indigo Vault sits on top of other data-protection tools WTW – and their future Indigo Vault customers – are already using. “As long as you’re using them all, not just disparate tools, then I think you’re going to be OK. We don’t exclude anything.”

A question was raised about storage of the decryption keys. WTW has a long history, but nothing is certain in life or in business: if the firm went out of business, how would an Indigo Vault customer be able to unlock their crown jewels? Beardall explained that the system uses Azure to store the key vault, and the expectation is that any elements of code needed for decryption that may not reside within the client company’s systems would be held in escrow and accessible beyond the lifespan of the company.

The geographic location of data was also raised, and provoked detailed debate. Plankey pointed out that the average user of an Azure-based system will never know where in the physical world any file is stored; there may be someone in their organisation’s security team who would know; but an Indigo Vault user can now specify storage locations from their Azure data centres as needed, . Beyond protecting against future quantum threats, this offers businesses an immediate layer of additional assurance that they’re able to meet any regulatory or legal residency requirements that apply to the data they create, interrogate or hold.

The verdict

Many of these questions must inevitably remain open. Designing security against threats that don’t exist yet demands flexibility, adaptability and a willingness to rethink the solution as the challenge changes. And in any case: if your question at the beginning of the conversation had been, “Where are the measurements that show it’s going to work?”, then you weren’t ever going to get the answer you were looking for.

But a sense emerged over the course of the discussion that perhaps there is another way of assessing the likely worth of a new cybersecurity toolset. At the end of a detailed and forensic cross-examination by a jury of senior security leaders, will the majority of them believe it’s a product that they would like to see deployed on their networks? It’s hardly scientific, but it’s still an exacting test. And it’s one that Indigo Vault seems to have aced.

For more information on Indigo Vault’s first of its kind quantum computing resistant encryption – including how it integrates seamlessly with Microsoft Office and Azure — visit indigovault.com or contact Sean Plankey.