Why Hosting Your Own Encryption Keys is Best for Security

Whether your company relies on an on-premise computing environment or you’ve fully migrated to the cloud, you rely on encryption every day to keep your data secure. Encryption is a process that scrambles readable text so data can be safely stored and sent, while decryption is a process that unscrambles data so it can be received and interpreted. You must encrypt your business data to protect it and comply with applicable data security laws.

Much of the information we send and receive online is encrypted automatically by the services we use. For example, if you send an email from your Gmail account, Google scrambles it with a Transport Layer Security (TLS) encryption before it is sent. Most email providers use TLS, so the recipient can decrypt the email regardless of whether they use Gmail.

This keeps the information contained within the email safe from prying eyes while it is in transit, although not completely. Google can still see the messages associated with your account. Regardless, any type of encryption or decryption is impossible without an encryption key.

What is an Encryption Key?

An encryption key is a random string of bits (units of information) that is generated to encrypt and decrypt data. They are created with algorithms, so every encryption key is unique and extremely difficult to crack. This makes your encryption keys highly valuable.

Although many of the digital services you use may allow you to store encryption keys using their own products, such as secure key vaults, you also have the choice to host and manage your own encryption keys. Doing so requires more resources on your part, but it also adds an extra layer of security to your business data.

Here’s why you should consider hosting your own encryption keys for better data security.

1. Control Access to Your Data More Effectively

As of 2019, about 48% of all corporate data was stored in the cloud. If you’re like most businesses, you use a cloud services provider like Microsoft Azure, Amazon Web Services (AWS), or Google Cloud.

Most providers create encryption keys so you can keep data safe in the cloud without managing the keys yourself. They usually do so with the assurance that their staff can’t see these keys, as they are stored in a digital vault. Or, they may partner with third-party vendors who handle the management of your encryption keys. This is what’s known as a bring your own key (BYOK) approach.

Although the BYOK approach is somewhat secure, storing keys with a third party still puts your data at some level of risk. The provider has control over your keys and the potential to access your data.

If your company handles sensitive or regulated data, you may be required by HIPAA, GDPR, CJIS, ITAR or other data-protection laws to manage your own encryption keys. But you should consider hosting your own security keys even if the law doesn’t require it.

By using a distributed architecture and unique symmetric keys for all your data, you can remove third-party vendors from the equation and fully host your keys in a secure environment. If you wish, you can even use your existing hardware security module (HSM) to host keys on-premise.

This keeps the keys separate from your encrypted data and ensures that vendors can’t access your data.

2. Comply with Data Legislation and Regulations More Easily

One of the most important reasons to host your own encryption keys is to comply with data security regulations. Currently, these laws vary by region, and some are only applicable to certain types of businesses. But you need an encryption key management solution that can help you comply with the most stringent data security laws, such as the following:

• The California Consumer Privacy Act (CCPA).
• Criminal Justice Information Services (CJIS).
• Cybersecurity Maturity Model Certification (CMMC), Level 3 Maturity.
• The Family Educational Rights and Privacy Act (FERPA).
• The General Data Protection Regulation (GDPR).
• The Health Insurance Portability and Accountability Act (HIPAA).
• International Traffic in Arms Regulations (ITAR).
• National Institute of Technology (NIST) 800-171 guidelines.

Although the BYOK option creates the perception of increased security, it doesn’t necessarily put you in control of your keys. Some keys may be placed on a lower tier than others. More importantly, it may not be a compliant key management framework for some of these regulations, as it adds a certain amount of risk to your data encryption regime.

The best way to ensure compliance with these laws is to manage your keys using a distributed architecture with dual layers of protection. This provides you with complete control over how can access your encryption keys, securing your data.

Host Your Own Encryption Keys with Virtru

Virtru offers multiple key management options to enable easy-to-use email and file encryption that protects data wherever it is shared and prevents third parties from ever accessing unencrypted content. Distributed architecture with dual layers of protection ensures total control over who can access the keys securing your most sensitive data.

The Virtru Private Keystore —hosted entirely on-premises—adds a layer of asymmetric encryption and lets organizations store and manage the asymmetric key pairs themselves for complete and exclusive access to the keys encrypting their data. 

This approach utilizes RSA 2048-bit asymmetric encryption key pairs hosted in your environment. Your RSA keys are used to encrypt every data key at the client so that it is never transmitted or stored in the clear. Virtru Private Keystore is hosted on-premises or in your private cloud, and uses Docker containers for rapid deployments. Virtru Private Keystore works with ACM to receive and fulfill key requests for authorized users. 

You should consider the Virtru Private Keystore if you’re looking to:

• Enable easy-to-use client-side email encryption without having to trust third parties with encryption keys or unencrypted content.
• Ensure that you are the only entity that can respond to government access requests and subpoenas.
• Meet data residency requirements by specifying the locations where your encryption keys are stored.
• Destroy encryption keys to make emails permanently unreadable.

Prior to the Virtru Private Keystore, organizations could leverage Bring Your Own Key (BYOK) approaches that allowed them to use their own keys but still required trusting their cloud provider or security vendor with hosting the keys protecting their content. This arrangement is like getting a safety deposit box but then letting the bank store its key. The cloud provider or security vendor can still access the underlying plain text content. 

Virtru is the first zero-trust key distribution service in which no third party can ever access unprotected content or the data protection keys.

The Key to Maximum Privacy and Security

The right key management framework enables both secure and user-friendly key sharing. It’s important to understand each of the four pillars before evaluating the right key setup for your organization. Compared with other encryption approaches, Virtru’s client-side encryption provides the best of both security and ease of use.

1. Key Storage: Encryption keys are always stored separately from encrypted content. Encrypted content is stored on the email and file platform provider’s cloud server infrastructure. Symmetric keys are hosted on AWS (with Virtru providing an additional layer of authentication), while asymmetric keys can be hosted exclusively on customer premises.
2. Policy Management: Revoke access, set expiration dates, disable forwarding and watermark documents upon encryption. Virtru can also see granular audit trails for shared content.
3. Authentication: Verification made easy with either existing email credentials or a message verification link.
4. Authorization: Managed exclusively by Virtru Access Control Manager (ACM).

To ensure security, administrators can use Virtru to monitor data going in and out of their domain and view audit trails of when keys have been accessed, thus gaining insight into when emails have been read and by whom. 

Equally as important, Virtru also ensures a frictionless experience by enabling encryption directly within existing email and file sharing platforms—such as Gmail, Google Drive and Microsoft Outlook. Virtru seamlessly hooks into these tools to encrypt data on the client-side, before it ever leaves your device. 

A user-friendly interface gives administrators the ability to monitor data going in and out of their domain from a centralized dashboard and view audit trails of when keys have been accessed, thus gaining insight into when emails have been read and by whom. 

Contact Virtru today to learn how our flexible key management options can help you take better control of your organization’s most sensitive data.