In computer science, entropy is a tangible resource. The term describes the random information that’s collected by an operating system to generate cryptographic keys used for encrypting information. As entropy increases — both in quality and quantity — keys become harder to decipher, and encryption improves.

To put it simply, entropy is the noise that secures the signal.

Traditional computing systems generate inventory from the physical world; they do this by tracking things like mouse movements or the cyclical patterns of cooling fans. These events are random but abundant, providing all the entropy necessary for developing complicated cryptographic keys. However, those sources start to dry up when computing moves out of the physical world and into the cloud.

Cloud devices — which encompass everything from IoT sensors to embedded systems — don’t have a natural source of entropy. Why? They’re largely untethered to actual users. Many of these devices operate autonomously, without human input.

Previously, developers applied the same harvesting techniques used in software-based entropy, assuming it could generate adequate entropy. But that was disproven after an investigation of the cryptographic keys inside firewalls and routers. Multiple duplicate keys were discovered, offering bad actors an easy way to bypass encryption.

Duplicates existed, chiefly, because there wasn’t enough random information available to generate unique ones. As more computing resources move to the cloud, insufficient entropy will become a significant security liability. The future of encryption, security, and online privacy all depend on finding more sources.

Introducing Entropy as a Service

Understanding the scope of this problem, the National Institute for Science and Technology has recommended creating new sources of entropy tailored to today’s computing environments.

EaaS is exactly that: It relies on things like ring oscillators and quantum devices to generate endless amounts of entropy and truly random characteristics. Developers can then draw on this data and use it in new applications or conduct cybersecurity testing.

Several companies are already involved with EaaS, supplying entropy and refining how it’s collected. Whitewood, a crypto-security company, is one example. In 2017, the company started offering a free service for use with on-site software (or paid versions that provide entropy in perpetuity or based on consumption). Random data is collected from a propriety generator called netRandom, and it’s supplied to everything from operating systems to virtual machines. It’s essentially on-demand entropy.

Canada-based Crypto4A offers something similar. Earlier this year, it developed a hardware security module that incorporates multiple sources of entropy according to best practices outlined by NIST. Relying on multiple sources improves both the volume and randomness of entropy, leading to less predictable cryptographic keys.

These companies — and others like them — are part of the burgeoning EaaS industry. A decade ago, no one was concerned about a lack of entropy. Now, however, this issue puts the digital future at risk. EaaS is still maturing, but it will soon become a standard development tool that’s indispensable for internet security.

When to Leverage EaaS

EaaS is an asset to any developer lacking plentiful sources of, well, entropy. Instead of searching for data that simply isn’t there, developers can collect exactly as much as they need. Removing this roadblock simultaneously accelerates development times and upgrades cybersecurity.

The benefits continue beyond development: Applications must be continuously updated with entropy to stay ahead of predatory hackers. EaaS provides a steady supply of new information, free of patterns that hackers can predict and exploit. It’s a way to stay one step ahead of tomorrow’s cybersecurity threats.

Companies can even use EaaS outside a development context. Comparing keys generated through software-based resources against new entropy reveals whether those keys are actually secure. Instead of assuming cryptography is secure, EaaS tests it objectively.

The “as a service” model is appealing because it leverages economies of scale to lower the price of essential tech assets. EaaS is no different. Companies need data security, which means developers need entropy. When it’s not available naturally, EaaS makes up the difference.