Protect all content types from the time of creation.
Share content with anyone inside or outside the enterprise, without the need for complicated key exchange or other technical complexity.
Integrate easily with existing applications and workflows, adding security without hampering user productivity.
The following steps outline a worked example of the high-level architecture used to achieve EaaS for a Virtru-supported email service. The numbers indicate the five main steps in the process.
Content Encryption. The sender places content into a Virtru-enabled email client and indicates that the content should be protected. When the sender attempts to send the email, the email client encrypts the content. In order to perform this encryption, the email client generates a new secret key specifically for protecting the content; the recipient must have this key to decrypt the content. The email client also creates a security policy for this content, which defines, through metadata assertions, any access control restrictions on recipient behavior (for example, when the content should expire, if ever).
Content Distribution and Access Control Management. The sender’s email client takes care of distributing the content, such as sending an encrypted email message to the appropriate local mail server for processing. At the same time, the sender’s email client also handles access control management. This involves transferring the content’s secret key and the associated security policy to a Virtru EaaS server for storage until needed.
User Authentication. When the recipient attempts to access the protected content through the recipient’s Virtru-enabled email client, this triggers a three-party user authentication session between the email client, the Virtru EaaS server, and the third-party Identity Provider service holding the recipient’s user credentials. All three major federated identity protocols – OAuth, OpenID, and the Security Assertion Markup Language (SAML) – are supported by Virtru for user authentication. Because the Virtru-enabled application coordinates all the communications between the EaaS server and the identity provider service, Virtru servers never have access to the user’s authentication credentials.
Key and Contract Distribution. If user authentication is successful, the Virtru EaaS server provides the protected content key and security contract to the recipient’s Virtru-enabled email client.
Content Decryption. If the terms of the security contract are met, such as the content not having already being expired by the sender, the recipient’s email client uses the key to decrypt the protected content, making it available to the authorized recipient.