For many large enterprises, ownership and control of encryption keys is a baseline requirement for SaaS adoption. IronCore's Customer Managed Keys (CMK) lets SaaS application vendor offer performant, per tenant encryption with integrations to all major key management infrastructures. Get to market faster and sell more to security-conscious customers.

1. Customer Managed Keys
IRONCORE LABS
IRONCORELABS.COM | @IRONCORELABS
An Emerging Requirement for Large Enterprise Sales

2. ironcorelabs.com// @IronCoreLabs
WHAT IS CMK?
Per-tenant encryption for some data
All data access is logged in an audit trail
Master key(s) used to decrypt are held by the customer
Customer can revoke access

3. ironcorelabs.com// @IronCoreLabs
GDPR / NEW PRIVACY REGS TRICKLE-DOWN FEATURES
DATA SOVEREIGNTYBREACH APOCALYPSE
ANALYSTS BEST PRACTICES
In part because of breach disclosure laws and in
part due to the climbing complexities of systems,
big companies are getting pwned left and right
and making big headlines.
New privacy laws mean companies must have
greater control of and visibility into their data to
operate in various countries.
Analysts love CMK and are out telling companies
that they should be demanding it.
The top-tier companies now offer CMK so companies
are trying to push it to their other vendors.
In many jurisdictions, certain data isn’t allowed to
leave (in readable form). An alternative to creating
data centers everywhere is to keep the keys in-
country.
Folks, including especially analysts, are starting
to call CMK a “best practice” and this has huge
implications for what companies are contractually
(ie with insurance provider) and legally (ie with
HIPAA) obligated to do.
ironcorelabs.com// @IronCoreLabs
WHY?
Everyone is getting more sensitive to storing data in the cloud

4. ironcorelabs.com// @IronCoreLabs
MAJOR SAAS LOGOS OFFER CMK

5. ironcorelabs.com// @IronCoreLabs
HOW CMK WORKS

6. ironcorelabs.com// @IronCoreLabs
Algorithm AES
Mode
ECB
CBC
OFB
CFB
GCM
CTR
XTS
OCB
Key Size
128
192
256
Asymmetric
RSA Key Size
Elliptic Curve
CA / validation
Curve Choices
Symmetric
Protocols
KMIP
PKCS#11
Google/AWS proprietary
HSMs
Gemalto
Safenet
AWS
Azure
Thales
Connection
SIEM
Key Management
Supported Systeems Languages
Libraries Interoperable formats?
Audit Scheme
Code
Rotation
Revocation
Backup
Dual controls
Common Log File System (CLFS)
Common Event Format (CEF)
Vendor
Arcsight
Splunk
Logrhythm
Trustwave
Public IPs for HSM?
VPN Configuration Rotation / refreshChoices
IF YOU DIY…

7. ironcorelabs.com// @IronCoreLabs
1 2
3
1
Stateless low-latency,
Keys are never persisted
2
Customer manages keys &
options independently
3
Data Layer
App Layer
Encryption
Service
KMS / HSM Configuration
Broker
Single point of
integration
(Typically API level)
IRONCORE SIMPLIFIES CMK

8. ironcorelabs.com// @IronCoreLabs
Client-sideServer-side
Per-tenant key-remote Per-tenant key- local Per user, end-to-end
YOU MAKE POLICY CHOICES
PRIVATE SECRET TOP-SECRET

9. ironcorelabs.com// @IronCoreLabs
Proprietary
KMIP
PKCS#11
Proprietary
Gemalto
AWS
Azure
GCP
SaaS App
Enterprise One
Enterprise Two
Enterprise Three
Enterprise Four
KMIP
Proprietary
PKCS#11
Proprietary
THE ENCRYPTION SERVICE HANDLES THE DETAILS

10. ironcorelabs.com// @IronCoreLabs
Only a few lines of code.
(EDEK, ciphertext) = IRON.encrypt(metadata, plaintext);
plaintext = IRON.decrypt(metadata, ciphertext, EDEK);
(DEK, EDEK) = IRON.wrap(metadata);
DEK = IRON.unwrap(metadata, EDEK);
INTEGRATION IS SIMPLE

11. ironcorelabs.com// @IronCoreLabs
ALL IN ONE EASY UI

12. ironcorelabs.com// @IronCoreLabs
SUMMARY
Accelerate your roadmap
Greater control means easier compliance
Integrate once, support many KMSs and gain policy-driven controls
Low latency, high availability