Now, even if the underlying cloud provider can’t provide geolocation and permissions assurances, end-to-end encryption prevents unauthorized access and limits visibility to the data owners and their intended, authorized recipients. While this creates a significant opportunity for more seamless and efficient data sharing, it also brings up questions about what security measures must be considered.
While you may now know the basics—such as why ITAR matters, who needs to pay attention to it, and what to look for in a solution—over the past few months, we’ve received questions around how exactly Virtru enables ITAR compliance. So, we sat down (virtually, of course) with Virtru’s Director of Federal and Platform, Joe Stuntz, to better understand the ins and outs of securing ITAR data with Virtru.
Client-side, end-to-end encryption is one of the only reliable ways to secure data from hackers, cyber-spies, and internal threats. ITAR compliant organizations must use strong encryption standards, and carefully control encryption keys to ensure unauthorized parties—including cloud vendors—can’t decrypt sensitive information.
Email encryption alone won’t prevent a well-meaning employee from forgetting to encrypt a sensitive message, or sending out sensitive data through email by mistake. This is where other datal security features such as access controls and audit capabilities become critical.
Organizations can automatically enforce Virtru client-side encryption and access controls for emails (including drafts) sent from your entire organization or from specific users/groups. Virtru also allows you to designate “encrypt & upload” as the only option for users/groups when uploading documents with technical data in Google Drive.
Hosting your own keys ensures that any key access request must be approved by you, giving you ultimate control over who has access to keys for ITAR technical data.
By using end-to-end encryption for email (including drafts) and files containing ITAR technical data, you can effectively prevent access by any cloud servers or foreign entities and address personnel permissions concerns. With Virtru for Gmail, you have the flexibility to use Google services due to an added layer of control for files and emails, wherever they’re shared. This helps ensure compliance beyond the initial email.
The key benefit is that Microsoft will only be storing encrypted data. Microsoft will have encrypted content, Virtru will have the keys but no content, and only the data owner and those authorized for access can decrypt data. This means that nobody has the keys to the kingdom and an organization does not have to rely on the practices of any one organization.
All of Virtru’s encryption algorithms comply with FIPS 140-2, however, not all Virtru clients leverage FIPS validated encryption modules. As an example, in September of this year, Virtru received validation for our JavaScript library. For our solutions that leverage FIPS validated modules, not all clients are enabled in FIPS mode by default. In addition to our own validation, we use third-party encryption libraries that have been certified by, or for, companies such as Google, Microsoft, and Apple. You can read more about this here.
ITAR requirements specifically state that the cloud provider must use cryptographic modules (hardware or software) that are compliant with FIPS 140-2 or other compliant encryption.
Virtru offers end-to-end encryption, granular access controls, and customer-hosted keys to address native cloud security gaps and prevent foreign entities from accessing technical data.
In order to meet ITAR requirements, Virtru hosts everything in the U.S.
Using Virtru alone does not guarantee ITAR compliance. Virtru solutions must be deployed as part of a broader compliance program with additional safeguards, controls, and processes that prevent unauthorized foreign access to ITAR technical data.
Virtru helps support ITAR compliance by providing end-to-end encryption that protects ITAR technical data from foreign access wherever it’s shared, unlocking cloud cost-savings benefits and enabling collaboration workflows that power innovation and growth. ITAR noncompliance leads to some of the most significant consequences of all data regulations, so it is not to be taken lightly and boils down to one thing: preventing non-U.S. persons from accessing ITAR technical data in the cloud.
Get in touch with us to learn how Virtru can support your ITAR compliance programs today.