Q&A: Virtru for ITAR Compliance

• The following activities are not exports, reexports, retransfers, or temporary imports:
  • Sending, taking, or storing technical data that is:
    • Unclassified;
    • Secured using end-to-end encryption;
    • Secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES-128);
• For purposes of this section, end-to-end encryption is defined as:
  • The provision of cryptographic protection of data, such that the data is not in an unencrypted form, between an originator (or the originator’s in-country security boundary) and an intended recipient (or the recipient’s in-country security boundary); and
  • The means of decryption are not provided to any third party.

Now, even if the underlying cloud provider can’t provide geolocation and permissions assurances, end-to-end encryption prevents unauthorized access and limits visibility to the data owners and their intended, authorized recipients. While this creates a significant opportunity for more seamless and efficient data sharing, it also brings up questions about what security measures must be considered.

Virtru for ITAR Compliant Email & File Encryption

While you may now know the basics—such as why ITAR matters, who needs to pay attention to it, and what to look for in a solution—over the past few months, we’ve received questions around how exactly Virtru enables ITAR compliance. So, we sat down (virtually, of course) with Virtru’s Director of Federal and Platform, Joe Stuntz, to better understand the ins and outs of securing ITAR data with Virtru.

Why does end-to-end encryption matter for ITAR compliance?

Client-side, end-to-end encryption is one of the only reliable ways to secure data from hackers, cyber-spies, and internal threats. ITAR compliant organizations must use strong encryption standards, and carefully control encryption keys to ensure unauthorized parties—including cloud vendors—can’t decrypt sensitive information.

How can you minimize the risk of human error, such as an employee forgetting to turn encryption “on”?

Email encryption alone won’t prevent a well-meaning employee from forgetting to encrypt a sensitive message, or sending out sensitive data through email by mistake. This is where other datal security features such as access controls and audit capabilities become critical.

Organizations can automatically enforce Virtru client-side encryption and access controls for emails (including drafts) sent from your entire organization or from specific users/groups. Virtru also allows you to designate “encrypt & upload” as the only option for users/groups when uploading documents with technical data in Google Drive.

How does Virtru Private Keystore factor into ITAR compliance?

Hosting your own keys ensures that any key access request must be approved by you, giving you ultimate control over who has access to keys for ITAR technical data.

Does Virtru for Gmail and/or Google Drive address ITAR compliance requirements?

By using end-to-end encryption for email (including drafts) and files containing ITAR technical data, you can effectively prevent access by any cloud servers or foreign entities and address personnel permissions concerns. With Virtru for Gmail, you have the flexibility to use Google services due to an added layer of control for files and emails, wherever they’re shared. This helps ensure compliance beyond the initial email. 

How can Virtru help enable compliance for organizations using Office 365 if the ITAR-protected data is technically stored on their servers?

The key benefit is that Microsoft will only be storing encrypted data. Microsoft will have encrypted content, Virtru will have the keys but no content, and only the data owner and those authorized for access can decrypt data. This means that nobody has the keys to the kingdom and an organization does not have to rely on the practices of any one organization. 

Does Virtru hold a FIPS certificate, and what value does that have for ITAR compliance? 

All of Virtru’s encryption algorithms comply with FIPS 140-2, however, not all Virtru clients leverage FIPS validated encryption modules. As an example, in September of this year, Virtru received validation for our JavaScript library. For our solutions that leverage FIPS validated modules, not all clients are enabled in FIPS mode by default. In addition to our own validation, we use third-party encryption libraries that have been certified by, or for, companies such as Google, Microsoft, and Apple. You can read more about this here.

ITAR requirements specifically state that the cloud provider must use cryptographic modules (hardware or software) that are compliant with FIPS 140-2 or other compliant encryption.

How does Virtru ensure that ITAR-protected data is secure and meets ITAR requirements?

Virtru offers end-to-end encryption, granular access controls, and customer-hosted keys to address native cloud security gaps and prevent foreign entities from accessing technical data.

In order to meet ITAR requirements, Virtru hosts everything in the U.S.

Can an organization address ITAR requirements with Virtru alone?

Using Virtru alone does not guarantee ITAR compliance. Virtru solutions must be deployed as part of a broader compliance program with additional safeguards, controls, and processes that prevent unauthorized foreign access to ITAR technical data.

In Conclusion

Virtru helps support ITAR compliance by providing end-to-end encryption that protects ITAR technical data from foreign access wherever it’s shared, unlocking cloud cost-savings benefits and enabling collaboration workflows that power innovation and growth. ITAR noncompliance leads to some of the most significant consequences of all data regulations, so it is not to be taken lightly and boils down to one thing: preventing non-U.S. persons from accessing ITAR technical data in the cloud.