Collaborne SafeKey enables businesses to take ownership over their encryption keys while delivering a frictionless end-user experience. The main building blocks of this vision are:
- Exclusive Key Control. Collaborne never sees or accesses your encryption keys, so you're always in control of your content.
- Unchangeable Audit Log. Record all key usage in an unchangeable audit log on Collaborne providing for a single record of the truth.
- Preserve Cloud Benefits. Retain the usability, mobility and data governance of Collaborne while managing your content in the cloud.
User experience and service requirements
Encrypting data with customer keys tends to disrupt the underlying service - e.g. inability of indexing content for search or any security controls that require visibility into the data. The ambition of Collaborne SafeKey is to provide the ultimate security you need while continuing to provide a delightful and frictionless secure experience to your users. What would put a smile on our face is if the users cannot tell the difference.
How it would work
SafeKey is a service of Collaborne in collaboration with Amazon Web Services, designed to provide on-demand key management through the use of AWS KMS (Key Management Services) and AWS CloudHSM—powered by Gemalto Enterprise—to support customers’ needs for reliability, security and control over their sensitive data. The design considers multiple layers of encryption with the customer key used at the outermost layer. The customer key can be stored on-premise with a replication of the key in the AWS CloudHSM for use by Collaborne.
Step by step:
- Data or content is submitted.
- Submitted data is encrypted with a unique Collaborne key - transparently to any end users
- The Collaborne unique data encryption key is encrypted with the customer's key. This prevent Collaborne from decrypting the data without the customer actually allowing the decryption of the data.
- Every encryption and decryption of data is logged in an unchangeable audit log for the customer.
The keys are embedded into the Collaborne service itself. Customers have complete visibility into all events while preserving the features, capability, and delightful user experience of the Collaborne application
In our client engagements, we have also come to explore the following service opportunities:
- Use AWS KMS or AWS CloudHSM to encrypt only to certain data - e.g. predefined fields for which such certain level of control and security is required for regulatory purposes. Depending on the encryption strategy chosen (i.e. SafeKey or not), this might result in loss of functionality or not.
- Customer can use AWS KMS to manage their keys.