SaaS Shield Data Continuity Planning

We have designed our systems to be highly available and reliable. However, in the event that the Configuration Broker is unavailable for an extended period of time and all of your Tenant Security Proxies no longer have access to their configurations, you may need a way to recover encrypted data independently of IronCore. This is an extremely unlikely scenario, but robust disaster recovery and continuity planning requires to you prepare for such situations. We provide information to help you develop a “What if IronCore and all their services are hit by a meteor storm” recovery plan.

A full NodeJS code example of this process is available in our TSC-node disaster recovery example. The same process laid out there can be applied in any language. The documentation walks you through the process of recovering the Document Encryption Key (DEK) for a document encrypted using SaaS Shield, which will allow you to decrypt the document itself. It also describes the process to follow to decrypt data that was encrypted using SaaS Shield’s deterministic encryption feature.

Recovering deterministically encrypted data requires you to have a copy of the encrypted tenant secrets that are used to derive keys. These encrypted secrets can be retrieved from the Configuration Broker, or they can be fetched using the Vendor Bridge. The Vendor Bridge secrets API provides filtering by tags, so if you are using tags to confine encryption keys and related material to specific regions (such as for data sovereignty purposes), you can retrieve just the subset of secrets appropriate for a particular region from the Vendor Bridge.

These encrypted secrets must be securely archived so that they can be reliably retrieved by secret ID in a disaster recovery scenario.