Addressing Privacy Through the Egnyte Key Management Solution
It seems like these days every cloud company is claiming to be secure. They may even throw out some technical jargon to “prove” why it’s true, but is it really? At Egnyte, we believe that type of thinking is flawed and outdated. To be sure, security is very important, but is only one component of our ultimate goal, which is privacy. For example, a cloud company that implements strong encryption, but uses your personal information for marketing purposes (with your consent) may be secure, but it isn’t very private.In the spirit of continuous improvement, we have expanded this thinking to include encryption keys. This means that not only can you choose how your keys are managed, but also where they are kept, who manages them, and who has access to them. Before we go into details, let’s review the basics.The most secure way to manage encryption keys requires the use of a Hardware Security Module, or HSM. HSMs offer couple of big benefits,
- They offload and accelerate cryptographic operations to a processor dedicated for this purpose. This reduces bottlenecks and increases application performance.
- They centralize the lifecycle management of cryptographic keys—from generation, distribution, rotation, storage, termination, and archival— in a purpose-built, highly secure appliance.
HSMs come in many shapes and sizes, and like most things, each option comes with trade-offs. On the one hand, cloud-based HSM services offer faster setup times, and a more simplified operation, but you have to rely on their cloud provider for handling several operations described above. On the other hand, an on-premises HSM gives you total control and the highest level of privacy, but it comes with more complexity and an upfront CAPEX cost. Ultimately, the right decision comes down to meeting your regulatory requirements and the level of privacy your company wants within your budget and staff expertise.Most of our customers prefer Egnyte to take care of their encryption keys for them. Some with more stringent regulations or high privacy standards have asked us to go a step further, either by extending support for HSMs deployed in their other cloud services (e.g. Azure or AWS), or by supporting on-premises HSMs (e.g. SafeNet). Our engineering team got to work and now we are announcing immediate support of 2 new key management options. Depending on your needs, we can manage your key for you, or you can manage your own keys in a hybrid way - either using a cloud provider or with your on-premises HSM in your datacenter.Manage your keys using a cloud HSM providerThis option is ideal if you want to limit access to your keys, set key rotation policies, and comply with corporate mandates - without having to deploy and manage hardware on premises. This is also a great option if you already use Azure KeyVault or AWS CloudHSM for other apps and want to standardize on a single key management provider for all of your applications
- Azure KeyVault (https://azure.microsoft.com/en-us/services/key-vault/)
- AWS CloudHSM (https://aws.amazon.com/cloudhsm/).
Manage your keys using an on-premises HSM in your datacenterThis option is best if you want total control over your key management in order to comply with strict regulatory standards or obtain the highest level of privacy. Integrating Egnyte with the HSM in your datacenter will give you complete control and privacy without sacrificing usability and functionality for your users. This is also a good option if you already have a KMIP-compliant HSM, like the SafeNet that you want to reuse.In all scenarios where customers manage their keys, they not only rely on Egnyte to sync and share, but also to encrypt and decrypt their content, while the master key always remains in their control. These customers are free to change their keys on their schedule and still retain complete functionality of the Egnyte application. Furthermore, alerting on irregular usage of the HSM can be monitored via a SIEM (Security information and event management) tool, and keys can be revoked or rotated as desired.With our Egnyte Key Management™ offering, we have delivered a usable feature that had previously been limited to only a few large enterprises, and we would love to see you try it out.