Secret of End-to-end Security Unleashed - Encryption & Key Management in Vaultize

Posted by Ankur Panchbudhe on August 25 2015

In the last few years, corporate work environments have become increasingly distributed and global, more open and consumerized, more collaborative and with more sharing, highly mobile and always on. All this means that corporate data is increasingly going out there in the wild, moving across networks like the Internet, WANs, mobile networks and public WiFis, across devices like roaming laptops, smart-phones and tablets, and across users like third-party vendors, contractors, temps and partners. This clearly means that there cannot be any gap in the security and protection of corporate data and it has to be secured and protected at all times and in all places. The biggest part of the data security solution is achieved using encryption of data – in-transit, at-rest and in-use. Vaultize uses and offers various encryption technologies including US patented Vault KNOX (for in-transit and at-rest data), endpoint encryption (for at-rest data) and plugin-free enterprise digital rights management (aka EDRM, for in-use, in-transit and at-rest data).

End-to-end_File_Security

Ensuring military-grade encryption of data every stage and throughout the life cycle makes Vaultize the most secure solution available in the market, and hence the choice of enterprises in highly-regulated and security-conscious verticals like Banks, Insurance and Financial Services (BFSI), healthcare and media – including Fortune 500s to ensure end-to-end security.

Vault KNOX – End-to-end Encryption

Vault KNOX is the (patented) technology used at the core of the Vaultize enterprise file security platform. It is used across enterprise file sharing (enterprise file sync & share – EFSS), mobile collaboration and anywhere access to enterprise content management (ECM). Simply put, it allows Vaultize to do end-to-end encryption – data is encrypted right at its source and decrypted only at the destination, and only when required. This encryption in done in addition to network encryption (SSL or TLS) and, in effect, means that all Vaultize communication is as (or even more) secure as VPN. It also allows Vaultize to store the data on our servers (or cloud) in encrypted form without having to control any encryption keys (see next section for details).

Vault_KNOX_Patent_1

 The Vaultize clients (running on endpoints or mobile devices) encrypt and de-duplicate data, even before putting it on the network, for sending to the Vaultize server (or cloud). Each client uses AES 256-bit encryption algorithm for encryption and the de-duplication is done using an rsync-like technique (although the basic technology is independent of the choice of encryption and de-duplication algorithms). Each request to the server if further sent over SSL/TLS encrypted channels and the server also authorizes each and every client request using OAuth protocol.

The keys used for encryption and authorizations are big random numbers (minimum 256-bit), with each key being a composite – first part is a token used for authorization only and second part is a secret used for signing requests and also for encryption. All users get a key and so do all the groups and there’s also a key for the whole organization.

Each data item (for example, a file or email) is divided into variable-sized chunks using a sliding window technique. The Vaultize client then computes a secure hash of the chunk (e.g. using SHA-2 HMAC) and uses the hash to check with the server if the chunk is already present on the server. If it is, we don’t need to send the chunk to the server and the customer saves on bandwidth and storage. If it is not present on the server, the chunk is encrypted using a chunk key, which is a combination of a random string and the user key or group key or organization key depending on the use case. The encrypted chunk and the encrypted chunk key are now sent to the server, where are they are stored as they come-in – in source-encrypted form – server does not decrypt them and may not even have a way to decrypt them (see next section). During decryption, the reverse process happens – chunk key is decrypted using the user or group or organization key, chunk is decrypted using the chunk key and data is reassembled from the chunks. This encryption scheme means that even if a chunk key is compromised, only a chunk worth of data is compromised and rest of the data remains secure. Similarly, if a user key is compromised, not all data is compromised and most of the data remains secure.

Key Management and Data Privacy Option

The user, group and organization keys are by default kept on the Vaultize server, in a very secure manner. This is the fastest, most cost-effective and most secure way of managing Vaultize keys. On the server, keys are always stored encrypted in an encrypted database and only one process has access to this database. Additionally, any of the keys can be invalidated any time from the admin console. Keys are exchanged with clients using a protocol that utilizes techniques similar to public-key cryptography (e.g. Diffie-Hellman key exchange).

But, if customers don’t want to store their encryption and authorization keys on the Vaultize server and would like to manage their own keys in their own way, Vaultize offers a Data Privacy Option (DPO). DPO allows removal of keys (per-user or per-group) from the server after downloading them. This way, customers can retain full control over the keys and manage them any way they want. This is particularly useful with data residency or data sovereignty laws/regulations in certain regions like Europe and Canada. With DPO, Vaultize server does not have any means of decrypting the data coming in from clients.

Encryption in Enterprise Digital Rights Management (EDRM)

Vaultize EDRM extends the technology established in Vault KNOX by having a separate encryption key (e.g. AES 256-bit) for each EDRM-protected data item. Vaultize uses a patent-pending technology called micro-containerization to encrypt and protect contents and meta-data of each data item inside a “micro-container”. Micro-containerization is agnostic to file formats, platforms/OS and file systems. A data item cannot be accessed without opening its micro-container. The micro-container supports features like passwords, expiry, self-destruct and remote wiping. EDRM rights, permissions, policies and keys are never stored inside the micro-container. While opening an EDRM-protected file, the key, rights, etc are retrieved from the server using a protocol similar to Diffie-Hellman key exchange.

Encryption in Mobile Content Management (MCM)

Vault KNOX technology allows  apps on mobile devices to perform secure mobility and MCM in conjunction with the server. Because of Vault KNOX, data is always delivered in encrypted form to the mobile devices and it is kept stored in that encrypted form on the device storage. This means that the data inside Vaultize mobile apps can be invalidated any time from the server with a single click, simply by invalidating the appropriate keys. Additionally, the data stored on the mobile devices is protected inside a sandbox (or container) secured using a password and a device-specific PIN.

Conclusion

Vaultize enterprise file security platform secures and protects corporate data at every stage of its lifecycle – whether it’s at rest (e.g. on storage or disk) or in-use (e.g. open in an application or being used through an API) or in-transit (e.g. being shared, copied over network). This ensures that the chances of data leakage/loss are almost zero and data can be used with highest efficiency and productivity in the modern corporate world.

With Vaultize enterprise IT gets end-to-end file security and protection of corporate data through administrative policy enforcement, controls and visibility without compromising on end-user experience. End-users get seamless access to corporate data on any device (company-managed as well as BYOD (Bring-Your-Own-Device)) – within as well as outside the corporate network (without the need of VPN) - and the ability to edit, sync and share.

Enterprise rights management, mobile content management and endpoint data protection built into the platform ensure security and protection – across devices, across users and even for the files shared with outside people.

Visit Vaultize at Booth #S7 in Gartner Security & Risk Management Summit 2015 in Mumbai (India) on Sept 1 & 2, 2015.

Gartner Security & Risk Management Summit 2015

Free White Paper: 6 Ways

 

Topics: Mobile Content Management (MCM), Digital Rights Management (DRM), Patent, data leakage prevenation, Vault KNOX, enterprise file security

Subscribe To The Blog