Much of our documentation is aimed at a vendor - a company supplying a SaaS application to their customers, or tenants. But we can also talk about these parties as the data holder - the organization that collects, stores, and manages data on behalf of its users, and the key holder, the organization that manages the encryption keys used to secure an individual customer’s data. SaaS Shield makes it easy for each tenant to be their own key holder, but it includes features that allow the data holder to also control keys for groups of tenants until they are ready to supply and manage their own keys.
Once the data holder’s applications are using a SaaS Shield Tenant Security Client SDK to encrypt and decrypt data, each key holder can use the SaaS Shield Configuration Broker application to configure one of several Key Management Systems (KMSes) to secure the keys used to protect customer data in the data holder’s system. Cloud-based KMSes are the most common choice, but there are options for some KMSes to be hosted in the key holders’ computing infrastructure.
Once the data holder has invited an admin for a key holder and that admin has set up their organization’s account, the key holder’s admin can use the steps in these integration guides to configure a KMS to secure their data.
Was this page helpful?