Skip to main content

NEXT SafeKey

Ronny Roeller
  • Updated
Protecting your data is our #1 priority. We continuously develop plans and proposals to engage our customers into progressive discussions for conceiving and deploying robust practices and infrastructure that ensure the long-term scaling, security, and resiliency of our data centers, software and entire business operation. Our ambition is to help you meet ever increasing regulatory needs, compliance, or other policies that you might have.
 

Service Ambitions

NEXT SafeKey enables businesses to take ownership over their encryption keys while delivering a frictionless end-user experience. The main building blocks of this vision are:

  1. Exclusive Key Control. NEXT  never sees or accesses your encryption keys, so you're always in control of your content.
  2. Unchangeable Audit Log. Record all key usage in an unchangeable audit log on NEXT providing for a single record of the truth.
  3. Preserve Cloud Benefits. Retain the usability, mobility and data governance of NEXT while managing your content in the cloud.

User experience and service requirements

Encrypting data with customer keys tends to disrupt the underlying service - e.g. inability of indexing content for search or any security controls that require visibility into the data. The ambition of NEXT SafeKey is to provide the ultimate security you need while continuing to provide a delightful and frictionless secure experience to your users. What would put a smile on our face is if the users cannot tell the difference.

How it would work

SafeKey is a service of NEXT in collaboration with Amazon Web Services, designed to provide on-demand key management through the use of AWS KMS (Key Management Services) and AWS CloudHSM—powered by Gemalto Enterprise—to support customers’ needs for reliability, security and control over their sensitive data. The design considers multiple layers of encryption with the customer key used at the outermost layer. The customer key can be stored on-premise with a replication of the key in the AWS CloudHSM for use by NEXT.

securekey.png

Step by step:

  1. Data or content is submitted.
  2. Submitted data is encrypted with a unique NEXT key - transparently to any end users
  3. The NEXT unique data encryption key is encrypted with the customer's key. This prevent NEXT from decrypting the data without the customer actually allowing the decryption of the data. 
  4. Every encryption and decryption of data is logged in an unchangeable audit log for the customer.

The keys are embedded into the service itself. Customers have complete visibility into all events while preserving the features, capability, and delightful user experience of the application

Other discussions

In our client engagements, we have also come to explore the following service opportunities:

  • Use AWS KMS or AWS CloudHSM to encrypt only to certain data - e.g. predefined fields for which such certain level of control and security is required for regulatory purposes. Depending on the encryption strategy chosen (i.e. SafeKey or not), this might result in loss of functionality or not.
  • Customer can use AWS KMS to manage their keys.  

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk