2017-04-19 Patrick Walsh
Originally published at blog.ironcorelabs.com.
Announcing "Customer-Controlled Data"
In 2015, Box released their Customer Managed Keys solution to a great deal of excitement. The promise is huge: an organization gets the benefits and cost savings of cloud services but keeps control of its data.
This is the holy grail for Enterprises who are otherwise reluctant to move to the cloud.
In 2016, companies spent three times as much money for on-prem software as they did on cloud services, and Gartner and Forrester attribute the lack of adoption to security and privacy concerns. Eliminating those concerns could dramatically accelerate the shift to the cloud.
No one wants to fund the staff and equipment it takes to manage and maintain on-prem software the same way it was done in the 80’s. Ain’t nobody got time for that. Cloud alternatives are cheaper, easier, and more agile.
In a perfect world, any piece of data could only be read by users who were authorized to unlock it, with no concerns of someone gaining access by exploiting a program bug, hacking into a database, or stealing a user’s password. And data owners would know exactly how their data was being used, when, and by whom, and they could revoke access from anyone at any time.
Providing this level of security and control has been difficult. Today, large-scale systems typically deal in shared secrets and passing them around. Or in some cases, there’s a central server that can decrypt things on behalf of users. In either case, the solutions are complex to manage, don’t fully deliver on security promises, and generate their own set of problems.
Eliminating security and privacy concerns could dramatically accelerate the shift to the cloud.
One approach to securing and controlling data is to encrypt all data and then keep those decryption keys close. This is the core idea behind Customer Managed Keys (CMK).
In Box’s implementation of CMK, each customer generates a public-private key pair, gives the public key to Box, and retains the private key. Each of the customer’s files is encrypted using a randomly generated AES key, and that key is encrypted to the customer’s public key. Every time a user accesses a file, Box sends this encrypted AES key to the owning organization to decrypt and return. Once Box gets the key back, it decrypts the file and sends it back to the user.
In this approach, Box sees the plain text of every file whenever a client requests it. This is limiting since:
There is no granularity of control since all data is handled the same way.
Every file fetch requires an extra round-trip call to the owning organization before the file can be decrypted and then returned, which is a huge performance issue.
Slow networks or an overloaded Hardware Security Module (HSM) could impact the perceived quality of Box’s service but are totally out of their control.
Scaling HSMs is difficult and expensive.
The owning organization can log all decryption requests, which is useful. However, if suspect behavior is detected, they have to reject all requests from Box, which consequently denies access to all of their own employees, too. Revocation of access becomes a disruptive event for the business.
In Forrester’s “Customer Managed Keys Quick Take,” they point out that this solution breaks some value-add features such as antivirus scanning, data loss prevention, and file preview functionality.
As long as the customer is processing decryption requests, Box can request the key to unlock any file and read it or turn it over to government authorities without the permission of the owner.
IronCore takes a different approach, one that brings granular access controls, provable security, and a separation between the act of encrypting a document and the determination of who can decrypt it.
Every single user and, in fact, every single device has its own public/private keypair. Data gets encrypted to a group, such as an “Employees of Org. X” group and the owner of that group (usually the administrator of the app for Org. X) can decide which users can decrypt data.
Deciding which users can decrypt data is something that can happen at any time, before or after a document is encrypted to the group. And Customers get a full audit log of any changes to groups and any decryption event.
Here are some other benefits:
1. The customer can determine exactly who has access to which documents.
No extra round-trips need to be made to decrypt data. The approach is fast and scalable.
Monitoring is built-in, and audit logs for reads are comprehensive.
Every authorized user and device has a key. Revocation is simple and granular. For example, if unusual access patterns were detected from a particular device, then that device could be independently revoked.
Server-side features, including security features like virus scanning, can be enabled, and the data owner controls the specifics.
The system is zero-trust. No server can decrypt data unless it holds keys that have been added to a relevant group for one-time or persistent access.
Cloud vendors do not necessarily get, or need, persistent access to their customers' data. If they don’t need that persistent access, then government requests must go to the organization that owns the data.
8. Cloud vendors can now sell to large Enterprises who would otherwise use on-prem software due to privacy and security concerns.
IronCore brings a separation between the act of encrypting a document and the determination of who can decrypt it.
Customer Controlled Data gives cloud vendors the tools they need to gain the trust of security conscious companies by giving the power of data control to the customer. The customer gets the promise of Customer Managed Keys without the compromises and drawbacks.
IronCore is today announcing the launch of its closed beta of Customer Controlled Data. In the coming months, we will open the beta to more companies and publicly post technical details and security proofs.
In the meantime, if Customer Controlled Data could help your organization sell more software to security conscious customers, or if you work for an organization that wishes it could leverage the cloud, but can’t because of privacy and security concerns, contact us or sign up on our beta wait list. We'd love to talk with you and to help you meet your goals.