You would never give out your keys to someone you didn’t trust, but in the cloud, most of us are already doing just that. Most apps allow the third-party provider to read your data, and many use insufficient security, which could give hackers access as well. Adding a security layer with encryption key management keeps your data safe from hackers, and allows you to use apps without risking that a technology provider could compromise or disclose your private information.
To secure data, encryption needs to be strong and consistently used. Encryption uses a random string of characters called a key to transform data into an unreadable form. That data remains unreadable until it’s decrypted, using the proper key. There are two types of encryption: symmetric-key encryption, which uses a single key to both encrypt and decrypt data, and asymmetric or public key encryption, which uses a public key to encrypt, and a private key to decrypt data.
Although 128-bit encryption is very strong, computer power increases very quickly (that’s why no one uses 64-bit encryption anymore). Additionally, cryptanalysts are always working on ways to crack encryption more quickly. Using 256-bit keys ensures that even if someone comes up with a way to crunch the numbers, say, 10,000,000 times more quickly, encrypted data will remain secure.
It sounds obvious, but encryption only keeps data safe when it’s used. For example, if you encrypt files in the cloud, but store it unencrypted on your device, a hacker or anyone else with access to your device will be able to retrieve your data.
Even if you erase unencrypted data, the files could still be potentially recovered unless the erased data is overwritten with random bits. Similarly, if your business has a policy of only encrypting emails that are considered confidential, there’s a good chance someone will make the wrong call, and leave a sensitive message unencrypted. You’re much safer encrypting everything.
The Need for Encryption Key Management
Anyone with access to an encrypted file, and the cryptographic key that unlocks it, can read the file. It sounds simple, but there are important differences in how individual services manage encryption keys and control access.
Many Software as a Service (SaaS) providers like iCloud and Dropbox use encryption, but the providers hold onto both your data and your keys. This makes these tools convenient to use while adding a meaningful layer of security, but also gives Apple and Dropbox the power to view your data, which could be misused by a malicious insider or a hacker. It also means they could give access to a government agent without seeking your permission, or even informing you.
Want to learn more about key management in the cloud? Check out The Simple Guide to Encryption Key Management for more information on how encryption technologies like Virtru works.
Encryption Key Management for Organizations
Many encrypted SaaS applications also lack features that are important to businesses: granular control and access management. If a company uses one encryption key to safeguard all its data, it makes it impossible to create multiple access levels backed by encryption; in other words, trade secrets, PCI data and other protected information could be accessible from any employee account, increasing the likelihood of a catastrophic leak or breach.
An encryption key management tool allows organizations to apply the principle of least privilege, granting each user access to the data they need to do their job and nothing else. Data that is high-value or under the scope of compliance is only accessible to a few people, greatly decreasing the chance that it will be exposed.
Encryption Challenges in the Cloud
It’s extremely hard to combine good user encryption key management and granular access control with the flexibility and convenience of cloud apps. Key management is also tricky — apps pass data back and forth, and need to be able to easily access your encryption key or your raw data to work. It’s very difficult to engineer email and cloud applications that let users retain control of their keys without compromising convenience and user-friendliness.
Even encrypting data in motion can be challenging, and very few apps adequately protect information traveling across the Internet. When you send an email, sign into a secure website or access a cloud service like Google Drive, data is typically sent across the Internet using SSL/TLS. As it is first encrypted on your server, then passed to the next server, where it is decrypted and re-encrypted, and the process repeats itself until it arrives at its destination. If a server has been compromised, or uses an outdated version of SSL/TLS, your data can be recovered by a hacker.
Virtru Email Encryption
Email encryption from Virtru has been designed to provide strong security without sacrificing convenience, both for email and file storage. It works as a browser extension for platforms like Google Chrome and Mozilla Firefox and a plugin for Microsoft Outlook, allowing users to encrypt emails with a single click. When you press the blue “v” before sending a message, Virtru generates a 256-bit AES encryption key to encrypt the message. The encrypted message travels across the Internet to the recipient’s Virtru client, which then requests the key from Virtru’s secure server, and uses it to decrypt the message.
The message is encrypted as soon as it leaves your computer, and not decrypted until the recipient reads it — a process called data-centric encryption. Even if a hacker intercepts the message en route, he won’t be able to read the data. This makes it much more secure than SSL/TLS. Virtru also allows you to encrypt attachments, send group messages, and even email people who haven’t installed Virtru — something you can’t do with other encryption tools. Virtru also reduces the risks of vendor encryption key management. We never have your data, so we have no way to read your emails, and can’t give the government access either.
Virtru: Advanced Features and File Encryption
Virtru Pro gives you extra control of your email, by allowing you to rescind messages (even after they’ve been read) set time limits, or disable forwarding so that recipients won’t send on sensitive messages. Organizations can standardize good email security with Virtru’s Data Loss Prevention tool. Virtru DLP uses customizable rules to prevent security breaches caused by user error. The organization’s entire email domain can be configured to automatically:
- Encrypt messages;
- Strip attachments;
- Pop up warning signs when emails contain sensitive information;
- Copy supervisors on certain messages;
- Add disclaimers or other text;
- Trigger rules based on the recipient’s domain or address.
Finally, Virtru Google Apps (now known as G Suite) encryption allows organizations to enforce the same level of security in the cloud. It combines encryption key management with data-centric encryption, allowing you to control access to sensitive information throughout your organization. And by encrypting all your G Suite data, it ensures a malicious insider can’t access your files.
No single security tool is perfect, and there are a few things Virtru’s original offerings can’t do (we’ll discuss newer features, including encryption key management, below). If a hacker were able to steal your password or use a computer where you saved your login information, they’d still be able to access your email account, along with the data therein. To keep yourself safe, you need to start using email security best practices.
A strong password is crucial: choose a long phrase that’s easy to remember and, if possible, includes uppercase and lowercase letters, numbers and symbols. Song lyrics, a statement describing something you like, or even a memorable nonsense phrase will work. Rotate your passwords every 6 months, and don’t use the same password across multiple accounts.
Two-factor authentication — a feature that requires you to enter a code texted to your phone every time you login — can make your account even more secure. This prevents hackers from accessing your account even if your password is compromised. You should also clear your browser cache after every use, and stop storing login info on your computer.
As we mentioned, standard Virtru encryption also manages encryption keys. We’ll fight any government request for encryption key access, but we could theoretically be forced to disclose them. Law enforcement or intelligence could then request access to your accounts from your SaaS providers, giving them access to your emails and files.
International Privacy Requirements
Multinational organizations have special compliance requirements that can’t be solved by most encryption solutions. Because of the strong privacy protections offered by the EU Data Protection Directive, companies need to agree to safeguard confidential data of European citizens when that data is exported.
Safe Harbor allowed companies to move that data into the US in exchange for guarantees that they would protect it. However, in response to U.S. government spying, Safe Harbor has been invalidated, and it has become more difficult for multinational companies to stay compliant with national and international privacy protections. Although Privacy Shield has replaced Safe Harbor, it’s complex and doesn’t apply to many industries, and puts burdens on companies transferring data to 3rd parties.
Companies can use legal documents such as model contracts to govern partnerships with the companies that store, transport and process their data, but those documents don’t prevent liability, and impose a range of compliance requirements that are difficult to implement, including:
- Requiring user-approval for data usage and transfer,
- Providing users copies of data when requested,
- Amending data inaccuracies at user request;
- Allowing users to opt out of direct marketing practices.
To ensure compliance, companies need to only access protected data from inside the EU. In most SaaS apps, however, data is not necessarily stored in one particular location — indeed, there may be copies on multiple continents.
A better solution is storing your encryption keys locally, and only permitting access to people in local offices. This allows you to choose whichever SaaS service makes the most sense for your business, while ensuring compliance with local privacy protections.
Virtru Secure Encryption Key Management
Virtru’s customer owned keys and Hardware-Backed Encryption Key Management (HEKM) gives customers complete control over their keys, solving a range of enterprise security and compliance issues. Encryption keys can be stored on a secure, customer-owned server or hardware device, which can be kept on-premises or cloud enabled in the US, Ireland, Germany, Singapore or Japan.
When you send a message with Hardware-Backed Encryption Key Management, your Virtru client generates a message key, which is encrypted again with your public key. This creates an encrypted message key, which is sent to Virtru’s secure server.
At the same time, the encrypted message is sent to the recipient’s mail server. When the recipient opens their message, their computer queries Virtru’s secure server for the key. Virtru’s server contact the KMS, which decrypts the encrypted message key with your private key, then encrypts it again with the recipient’s public key. Finally, it’s sent back to the recipient’s server, where the private key retrieves the original message key, and decrypts the message.
This method prevents Virtru from possessing the message key at any point; every time the key goes to Virtru’s server, it is already encrypted, either using your public key or the recipient’s. That gives you complete control of your keys; even if a hacker managed to penetrate Virtru’s secure servers or a government were to force us to disclose your data, they wouldn’t be able to use the information to compromise your files. In addition to encryption key management, Virtru HEKM provides audit logs for every key request, allowing customers to manage access, employ two-factor authentication and rotate keys for added security.
Encryption for the Whole Cloud
File and email encryption are a great first step, but we’re already going far beyond that. With features like Hardware-Backed Encryption Key Management and Virtru SDK, Virtru is is helping to create a world where information is safe by default. Whether you’re a business trying to meet rigorous security and compliance requirement, or an end user guarding against identity theft, Virtru allows you to protect your data everywhere it goes. Learn more about Virtru’s client-side encryption technology here.