<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt="">

Virtru Data Protection Platform Architecture

The Virtru Trusted Data Platform infrastructure enables Virtru and third-party developers to embed end-to-end encryption, granular access controls, and key management capabilities into applications and workflows to prevent unauthorized access and ensure data privacy.

TDF-fortunecover-NEW

Protect Your Data, Everywhere It Flows.

About the Trusted Data Format (TDF)

Virtru's products are built on the Trusted Format (TDF), an open specification used by thousands of organizations, including the U.S. Intelligence Community, to enable secure sharing with platform-agnostic encryption for any type of data, across any cloud environment or device, using persistent access controls that ensure data privacy.

Seamless Data Protection for Your Most-Used SaaS Apps

Virtru integrates directly with the applications your teams already use every day, including Google Workspace (Gmail, Google Drive, and other productivity apps) and Microsoft 365. As a result, everyday users can easily encrypt sensitive data with a single click, without ever leaving their daily workflow. Virtru also supports encryption workflows for Salesforce, Zendesk, Workday, and dozens of other SaaS apps. 

Virtru Data Protection Platform Architecture

Click on the individual components for more detail.

Split-Knowledge Architecture to Support Zero Trust

Virtru employs a split knowledge architecture that stores encrypted content separately from the encryption keys protecting it, supporting a Zero Trust framework, where all system components are continuously authenticated, verified, and authorized.

Only authorized entities can access unencrypted content. Virtru can never access unencrypted content or decrypt user content outside of customer-controlled Virtru clients: when we have the keys, we cannot access the content, and when we have the encrypted content, we can’t access the keys to decrypt and access it.

Toggle the buttons below to see how the Virtru Data Protection Platform protects different types of data.
how-overview

The Virtru system consists of four components: Virtru client libraries that sit on the content creator’s device (typically a browser extension or plug-in), the Virtru Access Control Management (ACM) Server that provides key management and mediates policies, object stores that hold encrypted content, and receiving clients.

When a user enables Virtru protection, all encryption activities occur on Virtru-enabled clients using client-generated AES-256 bit symmetric encryption keys. Separate object encryption keys, called Access Control Keys, are generated to encrypt each individual email or file. When encrypted content is sent or uploaded, the creating Virtru client uploads Access Control Keys and policies to the Virtru ACM via a Transport Layer Security (TLS) connection.

The Virtru ACM Server is a SaaS service that mediates access to protected content. The ACM distributes encryption keys to authorized parties, enforces access control policies, and communicates with federated identity services to authenticate users. The ACM also surfaces management interfaces to end users and administrators.

Object stores, such as Google Drive and Amazon Web Services (AWS), or email servers, such as Google and Microsoft Exchange, store encrypted content. The Virtru Zero Trust Architecture ensures separation of keys and content at all times. In instances when Virtru has the keys, it cannot access the content. In instances when Virtru services have the content, Virtru does not have access to the keys. Virtru services do not have the ability to decrypt content by separating either the encryption keys or the encrypted content.

Virtru allows authorized parties to receive and decrypt protected content without installing Virtru’s software. To access protected content, recipients must authenticate with the Virtru ACM. To do this, they use their existing email credentials, rather than having to establish new usernames or passwords. The ACM supports Federated Authentication via OAuth, SAML, and OpenID. The ACM grants Access Control Keys to authorized parties once they have authenticated. These keys are then used to decrypt content on the recipient’s device.

how-2

When using Virtru to protect files hosted in cloud service object stores, such as Google Drive, the content creator’s client encrypts files using a browser extension or other Virtru-enabled clients. Virtru clients generate separate AES-256 bit Access Control Keys to encrypt each file. Access control policies may also be applied at this time, either manually via the user or automatically via Data Loss Prevention (DLP) rules that are preconfigured by administrators. Examples of access control policies include: authorizing a party’s access, setting expiration for this access, and enhancing content protection via PDF watermarking or download disablement.

Once the content is encrypted, it is uploaded via TLS to the cloud service object store. An object level Access Control Key and Access Control policy are also uploaded to the Virtru ACM Server at this time, again via TLS.

The content and Access Control Key remain in separately-controlled systems until a content consumer requests access to the encrypted file. The Virtru Zero Trust Architecture ensures that Virtru services never have access to the cloud object store. After authenticating, the content consumer receives access to the decryption key required to view the unencrypted content on any device.

how3

When using Virtru to secure emails, all messages and attachments are encrypted with AES 256-bit Access Control Keys on the content creator’s client via a browser extension, Microsoft Outlook plug-in, mobile app, or other Virtru-enabled client. Access control policies may also be applied at this time, either manually via the user or automatically via Data Loss Prevention (DLP) rules that are preconfigured by administrators. Examples of access control policies include: authorizing a party’s access, setting expiration for this access, and enhancing content protection via PDF watermarking or download disablement.

Once email bodies are encrypted, they are sent via TLS to the email server that will eventually deliver this content to authorized recipients. Cloud providers, such as Google and Microsoft, cannot access unencrypted content or decrypt content on their servers because they do not have access to the keys stored in the Virtru ACM. To allow recipients to read emails without installing Virtru’s software, Virtru utilizes an external object store, such as Amazon S3, to surface encrypted emails.

The sending Virtru client creates a copy of the encrypted email and any file attachments, re-encrypts them with a separate key, known as a Split Knowledge Key, and sends the re-encrypted content to the designated object store. The Split Knowledge Key is stored inside the email, which is eventually delivered to the sender’s specified recipients. Virtru services do not have access to the sender’s or the recipient’s email servers, ensuring that encrypted content stored in the external object store cannot be decrypted outside of a Virtru client.

For each object, such as the individual email bodies and attachments, an individual Access Control Key is created and sent to the Virtru ACM. The content and key remain separate until a content consumer requests access to the encrypted email content. After authenticating, the content consumer receives access to both the Access Control Key (from the ACM) and the Split Knowledge Key (from the receiving email server). The Split Knowledge Key decrypts the Access Control Key, which decrypts the original email content.

Schedule a demo with Virtru today.