Are Your Keys Secure? 4 Reasons to Consider Cloud-Based Digital Envelope Encryption

Are Your Keys Secure? 4 Reasons to Consider Cloud-Based Digital Envelope Encryption

With vast amounts of sensitive data traversing the internet daily, one of the biggest challenges of modern-day protection is to properly encrypt and store this data to protect it from being compromised —either by internal threats or hackers.  

You can see the dilemma, though: if you use a key to protect your data, then, in effect, whoever has the key can gain access to the data. Sure, you could encrypt the key or the machine on which it’s stored, but that would require a new key stored somewhere—and on and on, in an infinite loop.

What is a company supposed to do?

Don’t View the World Through An Outdated Lens

Cloud services, in particular, have been guilty of taking the legacy on-premise model and saying “It worked here, so it should work there!” This is only a half-truth; it has been shown time and again that if the legacy approach is applied to the cloud, the advantages and cost efficiencies quickly vaporize.   

One longstanding and well-understood encryption model is digital envelope encryption. The concept is straightforward: you have a key, you encrypt the file or message with it, you encrypt the key itself using something from the recipient party. Unlocking the file or message now requires two distinct elements. With now two stages to unlocking the prize, it significantly raises the complexity of getting at the underlying data.

In digital envelope encryption the nuance is in how the key itself is encrypted using something only the recipient knows; for example, their self- or company-generated password. This results in a token which can then be safely stored. The only person that can get to the key—and subsequently the data—is the person with the password to unlock the token.

Although digital envelope encryption is often leveraged by the largest cloud infrastructure providers (such as Amazon Web Services) to protect sensitive data, its adoption in the cloud space is still limited. But can this well-known model be adapted to fit today’s cloud-based reality? We believe it can.

The solution is to store only the aforementioned unique token per user in the cloud. Then, when a user provides the correct credentials the token is challenged,  unlocking the key into resident session memory and establishing secure cloud data storage and access with the user. When the user session ends, the memory-resident key is destroyed and only the original stored token remains.

The critical thing to keep in mind is that the key never exists—or is transferred—outside of that memory-resident session. In other words, there is no opportunity for the key to be put into a compromised situation. And, if the service is built upon a fully-certified infrastructure like Amazon or Azure, the infrastructure is highly secured as well, adding an additional layer of environment protection.

Additional benefits of cloud-based digital envelope encryption include:

  • Extended Services Accessibility: Because the key is only ever session memory resident, encryption and decryption can occur cloud-side without putting the data at risk, this enables more services to be applied to the underlying data as needed.
  • Data Lockout Prevention: With the use of individual user stored tokens as proxies for the key the core key can be an enterprise-wide key. This enables an admin, for example, to have access to the data if required, or easily reset an end-user’s password to recover data.
  • No Vendor Access: The vendor has no access to the key as it is stored as encrypted tokens. Therefore, they have no access to the data, and not even a court order, subpoena, or warrant can compel data production.
  • Key Durability: The core key can be enterprise-wide without fear of it being compromised or corrupted as it’s contained within each token and only exists memory-resident.  Removing the need for key management and ensuring against data lockout issues.

For these reasons, Druva has standardized on digital envelope encryption for our cloud services, which are being utilized by some of the most security-conscious enterprises in the world. Cloud-based digital envelope encryption allows these customers to both secure their data and do more with it through extended services around compliance, legal data management, analytics, and search, while taking advantage of the extended cost efficiencies that cloud services have to offer.

We invite you to download the full technical brief titled ‘State-of-the-Art Security In The Cloud Era’ to learn more about the advantages of this encryption method. For a closer look at Druva’s unique approach to cloud data protection, click here and see how to keep your data properly secured in the cloud.

Looking to increase your security posture? Learn about five unforeseen risks that you should consider when it comes to file sharing. Read our white paper, 5 Unseen Risks in Enterprise File Sharing, to learn more.



Dave Packer

Dave has more than 20 years experience in influencing products in the enterprise technology space, primarily focused in the areas of information management and governance. At Druva, Dave leads Product Marketing, which serves as an integral part of product definition and direction.


Leave a reply

Your email address will not be published. Required fields are marked *