SlideShare une entreprise Scribd logo

CMK: What Architects Need to Know

IronCore Labs
IronCore Labs

If you develop SaaS applications you know that large enterprises want to create their own security keys and control encryption of their data stored in your application. This capability is known as Customer Managed Keys (CMK) or Enterprise Key Management (EKM). In this detailed technical whitepaper, we give cloud, enterprise and software architects: * the technical context behind CMK, * presents a reference architecture, * and discusses implementation patterns and tradeoffs.

Logiciels
1  sur  14
Télécharger pour lire hors ligne
CMK: WHAT ARCHITECTS NEED TO KNOW A white paper on Customer Managed Keys
© IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 2 CMK: What architects need to know WHAT IS CMK? Customer Managed Keys, or CMK, is a cloud architecture that gives customers owner- ship of the encryption keys that protect some or all of their data stored in SaaS applica- tions. CMK is known by many names: • EKM - Enterprise Key Management • BYOK - Bring Your Own Keys • CSK - Customer Supplied Keys • BYOE - Bring Your Own Encryption Regardless of name, CMK has these characteristics: • Per-tenant encryption for some or all customer data. • Your customer (tenant) manages a master key or keys needed for decryption. • Your customer can independently monitor all data access. • Your customer can independently revoke access at any time. This whitepaper gives cloud, enterprise, and software architects technical context behind CMK, presents a reference architecture, and discusses implementation patterns and tradeoffs. HOW CMK GENERALLY WORKS In CMK, you encrypt sensitive customer data before you store it. When you need data access, you call your customer’s infrastructure to get the decryption key. Your custom- er can revoke access by refusing to return the key, and they get an independent audit event on every request. You Store Encrypted Data + Encrypted Keys App Layer Data Layer KMS SIEM Your Customer Controls Keys and Audits Access “For many large enterprises, ownership and control of encryption keys is a baseline requirement for SaaS adoption.” - Forrester
© IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 3 CMK: What architects need to know The Envelope Encryption Pattern Storing and encrypting data in CMK involves multiple layers of keys. The typical ap- proach uses two layers and is referred to as “envelope encryption.” In envelope encryp- tion, you first encrypt data with a data encryption key or DEK. You use a second master key, or MK, to encrypt the DEK, producing an Encrypted DEK or EDEK. You have access to the DEK while you are encrypting or decrypting, but you agree to wipe the key from memory after use. You never persist the DEK to storage. Instead, you store the encrypted DEK, or EDEK, alongside encrypted data. Typically you add a col- umn to your database schema or persist the EDEK as object metadata. The process of encrypting a key is known as key wrapping. The wrapping key is generi- cally called a key encryption key or KEK. In CMK, the MK needed to decrypt the EDEK is held by the customer’s Key Management System (KMS). You ask the KMS to decrypt the EDEK. If the KMS grants access, it will unwrap and return a DEK which you in turn use to decrypt data. You then wipe the DEK from memory. The master key never leaves control of your customer. In a two-level hier- archy, the MK serves the role of the key encryption key. DEK EDEK Data Encrypted Data wiped after use MK
© IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 4 CMK: What architects need to know Envelope encryption with two keys Definitions plaintext Unencrypted data ciphertext Encrypted data DEK The data encryption key (DEK) is the key used to encrypt plaintext data. In practice, the DEK always uses symmetric encryption. KEK The DEK is wrapped (encrypted) by a key encryption key (KEK). In prac- tice, a KEK can be symmetric or asymmetric (public/private key pair). EDEK The encrypted data encryption key. MK The Master Key controlled by the Customer KMS. The MK serves the role of the key encryption key. The MK never leaves the Customer KMS. Operations encrypt2-level { EDEK, ciphertext } = encrypt(plaintext) composed by... // The customer KMS generates a DEK and wraps it { DEK, EDEK } = generateKeys() // The DEK is wiped from memory after use ciphertext = encrypt(plaintext, DEK) decrypt2-level plaintext = decrypt(ciphertext, EDEK) composed by... // The customer KMS unwraps the EDEK with its MK DEK = unwrap(EDEK) // the DEK is wiped from memory after use plaintext = decrypt(ciphertext, DEK) Customer Control and Independent Audit CMK allows your customer to independently revoke and transparently monitor access to their data stored in your SaaS application. Basically, if your company shows up in the news with the term “breach,” your customers want to kill access immediately. As CMK increasingly becomes labeled a “best practice,” your customers are contractually (e.g. insurance) and legally (e.g. HIPAA) obligated to insist on its adoption. The sequence diagram below shows the decryption data flow. Notice how the log re- quest data flow provides independent monitoring and the 403 allows revocation.
© IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 5 CMK: What architects need to know Customer data is encrypted and decrypted locally in your infrastructure using high- speed symmetric encryption operations. Only the EDEK, a small payload, goes back to your customer’s infrastructure to be unwrapped. We’ll see later that EDEK decryption can be further optimized. IRONCORE CMK ARCHITECTURE IronCore provides a turnkey CMK Implementation that you can quickly and easily inte- grate into your SaaS application. Even if you decide to implement your own CMK solu- tion, the IronCore architecture can inform your technical approach. App Layer Data Layer Encryption Service Configuration Broker Memory only Docker container Configuration on startup and as needed Zero-Trust, End-to-End Encryption Gemalto AWS Azure CloudTrail Splunk LogRhythm Web Browser (Admin) SaaS Provider Infrastructure KMS SIEM SDK
© IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 6 CMK: What architects need to know Data Layer CMK is a server-side approach to encryption. Generally speaking, you want to encrypt on your server as early as possible and decrypt as late as possible. In practice, the easi- est way to integrate is to find persistence layers and encrypt where fetch/store activities happen. Finding the right data seam is often the most challenging aspect of integration. Look for the following: • Anywhere fetch and store have been consolidated to make access control more reli- able. • Data transfer objects used to serialize and deserialize. • Code generated from formal data interface definitions such as protobuf, GraphQL, or Swagger. When you have identified one or more data seams, use the IronCore SDK API calls: A core design principle of IronCore’s service is to remove decisions from individual developers. Getting security and cryptography right is notoriously error-prone. The Iron- Core API is simple. Encryption policy is metadata-driven and separated as a cross-cut- ting concern. In this way policy enforcement is architected directly into your platform and access rules are defined, tested and audited by security specialists. The IronCore SDK is embedded in your data layer and hides the details of enve- lope encryption. The SDK gets a generated DEK and EDEK from the encryption service (ES, discussed below). The SDK encrypts plaintext to ciphertext with the DEK. The DEK is wiped from memory and the EDEK and ciphertext are returned to the data layer of your SaaS application. On decrypt, the SDK makes a request to the encryption service to unwrap the EDEK. The SDK decrypts the ciphertext and wipes Writing on an iMessage vulnerability… “There is an important lesson in this: security is hard. Apple Computer has one of the best security teams on the planet. This feature was not tossed out in a day; it was designed and implemented with a lot of thought and care. If this team could make a mistake like this, imagine how bad a security feature is when implemented by a team without this kind of expertise. Getting security right is hard for the best teams in the world. It’s impossible for most teams.” - Bruce Schneier
© IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 7 CMK: What architects need to know the DEK from memory. The plaintext is returned to the data layer of your application. IronCore provides a batch API for parallel encryption and decryption operations. The en- cryption server is horizontally scalable and has an optional key leasing mode discussed below. This enables highly performant batch operations. Metadata CMK gives your customers the ability to independently monitor data access. The meta- data passed on encrypt and decrypt operations enriches the information included in this audit trail. Default metadata properties define who (tenant and user), what (data label or clas- sification), and where (end user IP address or data center location). You can augment metadata with custom properties for addi- tional audit, policy and control. Audit trails are logged to your customer’s preferred Security and Incident Event Man- agement (SIEM) system. In addition to the log events produced by your customer’s KMS, IronCore’s implementation streams enriched events and telemetry to your customer’s SIEM infrastructure. Joins, Filters and Search CMK does not impact joins as primary and foreign keys should not be encrypted. Sorting and filtering of encrypted fields can be performed in-memory with no security implications. If in-memory is not possible or practical, an order-revealing or order-pre- “Data privacy concerns are causing significant sales cycle delays for up to 65 percent of businesses worldwide.” - Cisco Privacy Study
© IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 8 CMK: What architects need to know serving encryption scheme may be appropriate. IronCore works with customers to determine what is needed and appropriate while explaining security trade-offs. Encryption Service The Encryption Service (ES) facilitates the encryption and decryption of DEKs and EDEKs. It communicates with your customer’s KMS or Hardware Security Module (HSM) to provide control and auditing. With IronCore, you integrate once and immediately gain support for all popular KMS configurations. The ES integrates with key management systems and hardware security modules from Gemalto, AWS, Azure, GCP and other vendors. Leveraging IronCore makes if practical for your SaaS application to implement CMK without the integra- tion complexity and ongoing technical debt associ- ated with supporting, testing and auditing new and updated customer key management infrastructure. In some configurations, the ES performs encrypt and decrypt operations in the service using keys leased from the customer’s KMS. In other configurations, the customer’s KMS performs all of the wrapping and unwrapping. The Encryption Service has no persisted state. It is a multi-tenant Docker container that runs in your infrastructure and scales horizontally. It configures itself by calling the Con- figuration Broker (discussed below) on startup and as needed. IronCore encrypts the configuration used to access tenant KMS systems with end-to-end encryption. Not even administrators can access this information. In a do-it-yourself (DIY) scenario, you need to safeguard KMS secrets carefully. IronCore’s code is independently audited by the NCC Group, a firm that specializes in cryptography services. IronCore transparently publishes security and trust information in our Trust Center where we discuss our SOC2 certification, privacy measures, and other industry standards. The IronCore Encryption Service generates audit events indicating every access of data, what was accessed, by whom, and from where. IronCore feeds these events to your customer’s Security and Incident Event Management (SIEM) system so your cus- Encryption Service Gemalto AWS KMS Azure PKCS #11 Proprietary Proprietary
© IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 9 CMK: What architects need to know tomer’s security and compliance teams can use their existing monitoring and reporting systems rather than needing to adopt and look at yet another dashboard. A wide vari- ety of SIEMs are supported. IronCore audit events bolster the logs generated directly from your customer’s KMS with richer details needed for data maps, investigations, and compliance reporting. Audit events and telemetry information are also available to your application. Improving Performance and Availability with Key Leasing The CMK pattern uses a remote call to your customer’s network every time data is encrypted or decrypted. Remote calls introduce latency whenever sensitive data is ac- cessed. The reliance on your customer’s network to be online and reachable introduces uptime risks that threaten the availability terms of your service level agreements (SLAs). Key leasing is an alternate approach supported by IronCore’s Encryption Service. Key-leasing relies on three layers of keys, in which the customer’s KMS delegates limit- ed control to the IronCore Encryption Service. Key leasing uses three layers of keys Definitions LEK The lease encryption key (LEK) is delegated by the KMS to serve as a local key encryption key. MK The LEK is encrypted (wrapped) by a Master Key (MK). In key leasing, the envelope encryption pattern is applied twice. The MK is the key encryp- tion key for the LEK and the LEK is the key encryption key for the DEK. The MK never leaves the KMS. ELEK The encrypted lease encryption key (ELEK). Operations lease / refresh // ES calls KMS, caches LEK with short Time-To-Live { LEK, ELEK } = leaseKeys() encrypt3-level { EDEK, ciphertext } = encrypt(plaintext) composed by... DEK = generateKey() // ES EDEK = wrap(DEK, LEK) // ES encrypts DEK with LEK ciphertext = encrypt(plaintext, DEK) // SDK decrypt3-level plaintext = decrypt(ciphertext, EDEK) composed by... DEK = unwrap(EDEK, LEK) // ES decrypts EDEK with LEK plaintext = decrypt(ciphertext, DEK) // SDK You can implement key leasing as part of a DIY implementation, but it requires more trust from your customer. Using a third-party encryption service, even if run locally, miti- “Firms should consider greater use of encryption and BYOK, especially for the cloud...to both address growing compliance mandates and also to move to industry best practices.” - 451 Research
© IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 10 CMK: What architects need to know gates that issue. Customers typically embrace key leasing for better performance and availability. Avail- ability is improved because keys are leased asynchronously and decryption does not need to wait for a lease renewal. By default, IronCore renews leases every 5 minutes but will hold a key for up to an hour before wiping the leased key if the remote key serv- er remains unavailable. See the sequence diagram in Appendix A for additional details. If you implement key-leasing, your customer’s KMS can no longer independently log data access events. IronCore’s key-leasing implementation streams rich audit events to your customer’s SIEM infrastructure in this mode. Configuration Broker The IronCore configuration broker lets your customer configure the many settings that are part of their security policy, key management infrastructure, and SIEM system. It is branded with your logo as a SaaS provider and allows your customers to self-serve. The IronCore Configuration Broker is in a zero trust position and uses end-to-end en- cryption. IronCore encrypts sensitive information, such as KMS access credentials, in the browser of your customer’s administrator, and the configuration can only be decrypt- ed by the encryption service instances at point of use. The encrypted configuration is stored by IronCore for distribution to encryption service instances. IronCore cannot read the sensitive information it brokers. In a DIY implementation, you should be careful with how you handle your customer’s sensitive configuration information and have your code independently audited.
© IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 11 CMK: What architects need to know Note that as its own SaaS application, the Configuration Broker is continually updated with new integrations. Native KMS Management Key lifecycle management is the concept that keys are “born,” serve a useful lifetime, and are eventually archived or revoked. Your customer’s security organization has strict policies governing key lifecycles. Once your customer initially configures CMK via the configuration broker, they perform all key lifecycle management from their native KMS or HSM. IronCore ties encrypted information back to the KMS and key that was used to encrypt the data, and automati- cally tracks key rotations. Your customers prefer to maintain control using their KMS, and it reduces your technical support costs. A Note on Trust Models and End-to-End Encryption Trust is a characteristic of a security architecture. CMK is a trust-but-verify model, in which you encrypt and decrypt data on the server-side. You can access data, but your customer has control over encryption keys. End-to-end encryption uses a stronger zero-trust model. By default, services do not have access to encrypted data. You typically encrypt and decrypt on the client or from a cloud service with privileged identity. IronCore provides end-to-end encryption options in addition to CMK, and the approach- es can be mixed. We recommend that SaaS vendors begin with server-side CMK and selectively and iteratively provide client-side protections for the most sensitive data. For example, it’s common for SaaS applications to provide CMK protection of records and fields and end-to-end encryption of sensitive, opaque file attachments. Iterative Approaches Most commercial implementations of data privacy and security are delivered iteratively. For example, when Salesforce launched their Shield Encryption Platform, only custom fields and manual key management were supported. Over several years they added attachments and selected standard fields. With each release, the list of standard fields has grown. In Winter 2019 they are extending encrypted fields to applications listed on AppExchange, and adding a “cache-only key service” which provides true CMK support. Sample CMK Offerings: Slack EKM Salesforce Shield Box KeySafe Microsoft BYOK
© IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 12 CMK: What architects need to know To get started in your own system, look to the sensitivity and shape of your data. Sen- sitivity is a data classification such as restricted, private or public. Shape is the format of your persisted data - files or buckets, database records and fields, log files, search indices or message queues. Don’t start out encrypting all data in all shapes. Identify the most critical and sensitive data stored in easily supported systems (e.g., files or buckets). Add more data elements and additional persistence systems over time. Ship progress to immediately shorten sales cycles and create market differentiation. CONCLUSION For many large enterprises, Customer Managed Keys (CMK) are becoming a baseline requirement for cloud software. IronCore provides a turnkey solution that is quickly and easily integrated to get you to market faster with security that is a competitive differenti- ator. With IronCore, you integrate once to support many KMSes. Your customers get a secure interface to manage their KMS configuration without providing that data to you. For more sensitive data, you can encrypt end-to-end on the same platform. The develop- er experience is simple and continuously improved. NCC Group audits critical security code. Policy driven controls and rich logging are supported out of the box. Performance and availability are optimized. Most importantly, integrating IronCore accelerates your roadmap and eliminates com- plex security technical debt. Cloud security is evolving rapidly in response to new gov- ernment regulation and increasing system complexity. IronCore tracks these changes and keeps you current with the latest, most secure options for you and your customers. “Buyers of cloud service and mobile devices should demand that providers offer them the option of managing their own encryption keys.” - Gartner
© IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 13 CMK: What architects need to know APPENDIX A: KEY LEASING AND AVAILABILITY
ABOUT IRONCORE We are a data privacy platform for application layer encryption and customer managed keys (CMK). We enable software developers and businesses to rapidly build enterprise applications with strong data control. Data own- ers decide who can access their data, monitor how it’s used, when, where, and by whom, and can revoke that access at any time. We are the fastest and easiest way to control data in multi-cloud and SaaS environments. Copyright © 2019, IronCore Labs. All rights reserved. This document is provided for information purpos- es only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. IronCore Labs Inquiries 1750 30th Street #500 Email: info@ironcorelabs.com Boulder, CO 80301, USA Phone: +1.415.968.9607 CONNECT WITH US blog.ironcorelabs.com linkedin.com/company/ironcore-labs twitter.com/ironcorelabs ironcorelabs.com 1.0.1

Recommandé

Rethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationRethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationIronCore Labs
 
How to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeHow to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeIronCore Labs
 
CCPA: What You Need to Know
CCPA: What You Need to KnowCCPA: What You Need to Know
CCPA: What You Need to KnowIronCore Labs
 
How to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationHow to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationIronCore Labs
 
How to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppHow to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppIronCore Labs
 
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)IronCore Labs
 
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearThe Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearIronCore Labs
 
2018 acm-scc-presentation
2018 acm-scc-presentation2018 acm-scc-presentation
2018 acm-scc-presentationIronCore Labs
 

Recommandé

Rethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationRethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationIronCore Labs
 
How to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeHow to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeIronCore Labs
 
CCPA: What You Need to Know
CCPA: What You Need to KnowCCPA: What You Need to Know
CCPA: What You Need to KnowIronCore Labs
 
How to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationHow to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationIronCore Labs
 
How to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppHow to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppIronCore Labs
 
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)IronCore Labs
 
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearThe Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearIronCore Labs
 
2018 acm-scc-presentation
2018 acm-scc-presentation2018 acm-scc-presentation
2018 acm-scc-presentationIronCore Labs
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jNeo4j
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdfAndrey Devyatkin
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Contenu connexe

Dernier

Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jNeo4j
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdfAndrey Devyatkin
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 

Dernier (20)

Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero results
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 

En vedette

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

En vedette (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

CMK: What Architects Need to Know

  • 1. CMK: WHAT ARCHITECTS NEED TO KNOW A white paper on Customer Managed Keys
  • 2. © IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 2 CMK: What architects need to know WHAT IS CMK? Customer Managed Keys, or CMK, is a cloud architecture that gives customers owner- ship of the encryption keys that protect some or all of their data stored in SaaS applica- tions. CMK is known by many names: • EKM - Enterprise Key Management • BYOK - Bring Your Own Keys • CSK - Customer Supplied Keys • BYOE - Bring Your Own Encryption Regardless of name, CMK has these characteristics: • Per-tenant encryption for some or all customer data. • Your customer (tenant) manages a master key or keys needed for decryption. • Your customer can independently monitor all data access. • Your customer can independently revoke access at any time. This whitepaper gives cloud, enterprise, and software architects technical context behind CMK, presents a reference architecture, and discusses implementation patterns and tradeoffs. HOW CMK GENERALLY WORKS In CMK, you encrypt sensitive customer data before you store it. When you need data access, you call your customer’s infrastructure to get the decryption key. Your custom- er can revoke access by refusing to return the key, and they get an independent audit event on every request. You Store Encrypted Data + Encrypted Keys App Layer Data Layer KMS SIEM Your Customer Controls Keys and Audits Access “For many large enterprises, ownership and control of encryption keys is a baseline requirement for SaaS adoption.” - Forrester
  • 3. © IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 3 CMK: What architects need to know The Envelope Encryption Pattern Storing and encrypting data in CMK involves multiple layers of keys. The typical ap- proach uses two layers and is referred to as “envelope encryption.” In envelope encryp- tion, you first encrypt data with a data encryption key or DEK. You use a second master key, or MK, to encrypt the DEK, producing an Encrypted DEK or EDEK. You have access to the DEK while you are encrypting or decrypting, but you agree to wipe the key from memory after use. You never persist the DEK to storage. Instead, you store the encrypted DEK, or EDEK, alongside encrypted data. Typically you add a col- umn to your database schema or persist the EDEK as object metadata. The process of encrypting a key is known as key wrapping. The wrapping key is generi- cally called a key encryption key or KEK. In CMK, the MK needed to decrypt the EDEK is held by the customer’s Key Management System (KMS). You ask the KMS to decrypt the EDEK. If the KMS grants access, it will unwrap and return a DEK which you in turn use to decrypt data. You then wipe the DEK from memory. The master key never leaves control of your customer. In a two-level hier- archy, the MK serves the role of the key encryption key. DEK EDEK Data Encrypted Data wiped after use MK
  • 4. © IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 4 CMK: What architects need to know Envelope encryption with two keys Definitions plaintext Unencrypted data ciphertext Encrypted data DEK The data encryption key (DEK) is the key used to encrypt plaintext data. In practice, the DEK always uses symmetric encryption. KEK The DEK is wrapped (encrypted) by a key encryption key (KEK). In prac- tice, a KEK can be symmetric or asymmetric (public/private key pair). EDEK The encrypted data encryption key. MK The Master Key controlled by the Customer KMS. The MK serves the role of the key encryption key. The MK never leaves the Customer KMS. Operations encrypt2-level { EDEK, ciphertext } = encrypt(plaintext) composed by... // The customer KMS generates a DEK and wraps it { DEK, EDEK } = generateKeys() // The DEK is wiped from memory after use ciphertext = encrypt(plaintext, DEK) decrypt2-level plaintext = decrypt(ciphertext, EDEK) composed by... // The customer KMS unwraps the EDEK with its MK DEK = unwrap(EDEK) // the DEK is wiped from memory after use plaintext = decrypt(ciphertext, DEK) Customer Control and Independent Audit CMK allows your customer to independently revoke and transparently monitor access to their data stored in your SaaS application. Basically, if your company shows up in the news with the term “breach,” your customers want to kill access immediately. As CMK increasingly becomes labeled a “best practice,” your customers are contractually (e.g. insurance) and legally (e.g. HIPAA) obligated to insist on its adoption. The sequence diagram below shows the decryption data flow. Notice how the log re- quest data flow provides independent monitoring and the 403 allows revocation.
  • 5. © IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 5 CMK: What architects need to know Customer data is encrypted and decrypted locally in your infrastructure using high- speed symmetric encryption operations. Only the EDEK, a small payload, goes back to your customer’s infrastructure to be unwrapped. We’ll see later that EDEK decryption can be further optimized. IRONCORE CMK ARCHITECTURE IronCore provides a turnkey CMK Implementation that you can quickly and easily inte- grate into your SaaS application. Even if you decide to implement your own CMK solu- tion, the IronCore architecture can inform your technical approach. App Layer Data Layer Encryption Service Configuration Broker Memory only Docker container Configuration on startup and as needed Zero-Trust, End-to-End Encryption Gemalto AWS Azure CloudTrail Splunk LogRhythm Web Browser (Admin) SaaS Provider Infrastructure KMS SIEM SDK
  • 6. © IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 6 CMK: What architects need to know Data Layer CMK is a server-side approach to encryption. Generally speaking, you want to encrypt on your server as early as possible and decrypt as late as possible. In practice, the easi- est way to integrate is to find persistence layers and encrypt where fetch/store activities happen. Finding the right data seam is often the most challenging aspect of integration. Look for the following: • Anywhere fetch and store have been consolidated to make access control more reli- able. • Data transfer objects used to serialize and deserialize. • Code generated from formal data interface definitions such as protobuf, GraphQL, or Swagger. When you have identified one or more data seams, use the IronCore SDK API calls: A core design principle of IronCore’s service is to remove decisions from individual developers. Getting security and cryptography right is notoriously error-prone. The Iron- Core API is simple. Encryption policy is metadata-driven and separated as a cross-cut- ting concern. In this way policy enforcement is architected directly into your platform and access rules are defined, tested and audited by security specialists. The IronCore SDK is embedded in your data layer and hides the details of enve- lope encryption. The SDK gets a generated DEK and EDEK from the encryption service (ES, discussed below). The SDK encrypts plaintext to ciphertext with the DEK. The DEK is wiped from memory and the EDEK and ciphertext are returned to the data layer of your SaaS application. On decrypt, the SDK makes a request to the encryption service to unwrap the EDEK. The SDK decrypts the ciphertext and wipes Writing on an iMessage vulnerability… “There is an important lesson in this: security is hard. Apple Computer has one of the best security teams on the planet. This feature was not tossed out in a day; it was designed and implemented with a lot of thought and care. If this team could make a mistake like this, imagine how bad a security feature is when implemented by a team without this kind of expertise. Getting security right is hard for the best teams in the world. It’s impossible for most teams.” - Bruce Schneier
  • 7. © IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 7 CMK: What architects need to know the DEK from memory. The plaintext is returned to the data layer of your application. IronCore provides a batch API for parallel encryption and decryption operations. The en- cryption server is horizontally scalable and has an optional key leasing mode discussed below. This enables highly performant batch operations. Metadata CMK gives your customers the ability to independently monitor data access. The meta- data passed on encrypt and decrypt operations enriches the information included in this audit trail. Default metadata properties define who (tenant and user), what (data label or clas- sification), and where (end user IP address or data center location). You can augment metadata with custom properties for addi- tional audit, policy and control. Audit trails are logged to your customer’s preferred Security and Incident Event Man- agement (SIEM) system. In addition to the log events produced by your customer’s KMS, IronCore’s implementation streams enriched events and telemetry to your customer’s SIEM infrastructure. Joins, Filters and Search CMK does not impact joins as primary and foreign keys should not be encrypted. Sorting and filtering of encrypted fields can be performed in-memory with no security implications. If in-memory is not possible or practical, an order-revealing or order-pre- “Data privacy concerns are causing significant sales cycle delays for up to 65 percent of businesses worldwide.” - Cisco Privacy Study
  • 8. © IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 8 CMK: What architects need to know serving encryption scheme may be appropriate. IronCore works with customers to determine what is needed and appropriate while explaining security trade-offs. Encryption Service The Encryption Service (ES) facilitates the encryption and decryption of DEKs and EDEKs. It communicates with your customer’s KMS or Hardware Security Module (HSM) to provide control and auditing. With IronCore, you integrate once and immediately gain support for all popular KMS configurations. The ES integrates with key management systems and hardware security modules from Gemalto, AWS, Azure, GCP and other vendors. Leveraging IronCore makes if practical for your SaaS application to implement CMK without the integra- tion complexity and ongoing technical debt associ- ated with supporting, testing and auditing new and updated customer key management infrastructure. In some configurations, the ES performs encrypt and decrypt operations in the service using keys leased from the customer’s KMS. In other configurations, the customer’s KMS performs all of the wrapping and unwrapping. The Encryption Service has no persisted state. It is a multi-tenant Docker container that runs in your infrastructure and scales horizontally. It configures itself by calling the Con- figuration Broker (discussed below) on startup and as needed. IronCore encrypts the configuration used to access tenant KMS systems with end-to-end encryption. Not even administrators can access this information. In a do-it-yourself (DIY) scenario, you need to safeguard KMS secrets carefully. IronCore’s code is independently audited by the NCC Group, a firm that specializes in cryptography services. IronCore transparently publishes security and trust information in our Trust Center where we discuss our SOC2 certification, privacy measures, and other industry standards. The IronCore Encryption Service generates audit events indicating every access of data, what was accessed, by whom, and from where. IronCore feeds these events to your customer’s Security and Incident Event Management (SIEM) system so your cus- Encryption Service Gemalto AWS KMS Azure PKCS #11 Proprietary Proprietary
  • 9. © IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 9 CMK: What architects need to know tomer’s security and compliance teams can use their existing monitoring and reporting systems rather than needing to adopt and look at yet another dashboard. A wide vari- ety of SIEMs are supported. IronCore audit events bolster the logs generated directly from your customer’s KMS with richer details needed for data maps, investigations, and compliance reporting. Audit events and telemetry information are also available to your application. Improving Performance and Availability with Key Leasing The CMK pattern uses a remote call to your customer’s network every time data is encrypted or decrypted. Remote calls introduce latency whenever sensitive data is ac- cessed. The reliance on your customer’s network to be online and reachable introduces uptime risks that threaten the availability terms of your service level agreements (SLAs). Key leasing is an alternate approach supported by IronCore’s Encryption Service. Key-leasing relies on three layers of keys, in which the customer’s KMS delegates limit- ed control to the IronCore Encryption Service. Key leasing uses three layers of keys Definitions LEK The lease encryption key (LEK) is delegated by the KMS to serve as a local key encryption key. MK The LEK is encrypted (wrapped) by a Master Key (MK). In key leasing, the envelope encryption pattern is applied twice. The MK is the key encryp- tion key for the LEK and the LEK is the key encryption key for the DEK. The MK never leaves the KMS. ELEK The encrypted lease encryption key (ELEK). Operations lease / refresh // ES calls KMS, caches LEK with short Time-To-Live { LEK, ELEK } = leaseKeys() encrypt3-level { EDEK, ciphertext } = encrypt(plaintext) composed by... DEK = generateKey() // ES EDEK = wrap(DEK, LEK) // ES encrypts DEK with LEK ciphertext = encrypt(plaintext, DEK) // SDK decrypt3-level plaintext = decrypt(ciphertext, EDEK) composed by... DEK = unwrap(EDEK, LEK) // ES decrypts EDEK with LEK plaintext = decrypt(ciphertext, DEK) // SDK You can implement key leasing as part of a DIY implementation, but it requires more trust from your customer. Using a third-party encryption service, even if run locally, miti- “Firms should consider greater use of encryption and BYOK, especially for the cloud...to both address growing compliance mandates and also to move to industry best practices.” - 451 Research
  • 10. © IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 10 CMK: What architects need to know gates that issue. Customers typically embrace key leasing for better performance and availability. Avail- ability is improved because keys are leased asynchronously and decryption does not need to wait for a lease renewal. By default, IronCore renews leases every 5 minutes but will hold a key for up to an hour before wiping the leased key if the remote key serv- er remains unavailable. See the sequence diagram in Appendix A for additional details. If you implement key-leasing, your customer’s KMS can no longer independently log data access events. IronCore’s key-leasing implementation streams rich audit events to your customer’s SIEM infrastructure in this mode. Configuration Broker The IronCore configuration broker lets your customer configure the many settings that are part of their security policy, key management infrastructure, and SIEM system. It is branded with your logo as a SaaS provider and allows your customers to self-serve. The IronCore Configuration Broker is in a zero trust position and uses end-to-end en- cryption. IronCore encrypts sensitive information, such as KMS access credentials, in the browser of your customer’s administrator, and the configuration can only be decrypt- ed by the encryption service instances at point of use. The encrypted configuration is stored by IronCore for distribution to encryption service instances. IronCore cannot read the sensitive information it brokers. In a DIY implementation, you should be careful with how you handle your customer’s sensitive configuration information and have your code independently audited.
  • 11. © IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 11 CMK: What architects need to know Note that as its own SaaS application, the Configuration Broker is continually updated with new integrations. Native KMS Management Key lifecycle management is the concept that keys are “born,” serve a useful lifetime, and are eventually archived or revoked. Your customer’s security organization has strict policies governing key lifecycles. Once your customer initially configures CMK via the configuration broker, they perform all key lifecycle management from their native KMS or HSM. IronCore ties encrypted information back to the KMS and key that was used to encrypt the data, and automati- cally tracks key rotations. Your customers prefer to maintain control using their KMS, and it reduces your technical support costs. A Note on Trust Models and End-to-End Encryption Trust is a characteristic of a security architecture. CMK is a trust-but-verify model, in which you encrypt and decrypt data on the server-side. You can access data, but your customer has control over encryption keys. End-to-end encryption uses a stronger zero-trust model. By default, services do not have access to encrypted data. You typically encrypt and decrypt on the client or from a cloud service with privileged identity. IronCore provides end-to-end encryption options in addition to CMK, and the approach- es can be mixed. We recommend that SaaS vendors begin with server-side CMK and selectively and iteratively provide client-side protections for the most sensitive data. For example, it’s common for SaaS applications to provide CMK protection of records and fields and end-to-end encryption of sensitive, opaque file attachments. Iterative Approaches Most commercial implementations of data privacy and security are delivered iteratively. For example, when Salesforce launched their Shield Encryption Platform, only custom fields and manual key management were supported. Over several years they added attachments and selected standard fields. With each release, the list of standard fields has grown. In Winter 2019 they are extending encrypted fields to applications listed on AppExchange, and adding a “cache-only key service” which provides true CMK support. Sample CMK Offerings: Slack EKM Salesforce Shield Box KeySafe Microsoft BYOK
  • 12. © IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 12 CMK: What architects need to know To get started in your own system, look to the sensitivity and shape of your data. Sen- sitivity is a data classification such as restricted, private or public. Shape is the format of your persisted data - files or buckets, database records and fields, log files, search indices or message queues. Don’t start out encrypting all data in all shapes. Identify the most critical and sensitive data stored in easily supported systems (e.g., files or buckets). Add more data elements and additional persistence systems over time. Ship progress to immediately shorten sales cycles and create market differentiation. CONCLUSION For many large enterprises, Customer Managed Keys (CMK) are becoming a baseline requirement for cloud software. IronCore provides a turnkey solution that is quickly and easily integrated to get you to market faster with security that is a competitive differenti- ator. With IronCore, you integrate once to support many KMSes. Your customers get a secure interface to manage their KMS configuration without providing that data to you. For more sensitive data, you can encrypt end-to-end on the same platform. The develop- er experience is simple and continuously improved. NCC Group audits critical security code. Policy driven controls and rich logging are supported out of the box. Performance and availability are optimized. Most importantly, integrating IronCore accelerates your roadmap and eliminates com- plex security technical debt. Cloud security is evolving rapidly in response to new gov- ernment regulation and increasing system complexity. IronCore tracks these changes and keeps you current with the latest, most secure options for you and your customers. “Buyers of cloud service and mobile devices should demand that providers offer them the option of managing their own encryption keys.” - Gartner
  • 13. © IronCore Labs, Inc. • info@ironcorelabs.com • 415-968-9607 • ironcorelabs.com 13 CMK: What architects need to know APPENDIX A: KEY LEASING AND AVAILABILITY
  • 14. ABOUT IRONCORE We are a data privacy platform for application layer encryption and customer managed keys (CMK). We enable software developers and businesses to rapidly build enterprise applications with strong data control. Data own- ers decide who can access their data, monitor how it’s used, when, where, and by whom, and can revoke that access at any time. We are the fastest and easiest way to control data in multi-cloud and SaaS environments. Copyright © 2019, IronCore Labs. All rights reserved. This document is provided for information purpos- es only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. IronCore Labs Inquiries 1750 30th Street #500 Email: info@ironcorelabs.com Boulder, CO 80301, USA Phone: +1.415.968.9607 CONNECT WITH US blog.ironcorelabs.com linkedin.com/company/ironcore-labs twitter.com/ironcorelabs ironcorelabs.com 1.0.1