Product, Tech/Engineering

What’s So Special About Digital Envelope Encryption?

There are many ways cloud service providers protect your data: key and data model, escrow model, key server model, etc. With inSync, we take a slightly different approach to encryption using a method called digital envelope encryption, also referred to as two-factor encryption model. Watch the video below or read on to see how digital envelope encryption is different from its alternatives.

We look at three aspects of each model: security, data privacy, and manageability.

Key and Data Model

The good thing is that the key-and-data model is very manageable. The key is stored alongside your data, making it easy to retrieve. However, if someone breaches the system, they can gain access to all the keys. This model typically works fine for personal use, or for a less secure type of use, but it is not really great for enterprise use where protecting data is paramount. With the way the key and data are stored, if there was an investigation or a legal subpoena, the information could be easily handed over by the cloud provider. The service provider might even scan the data before or after it is encrypted/decrypted.

Secure? No. Private? Not really. Manageable? Yes.

Escrow Model

In this model, the key is stored with a third-party provider and can only be accessed when requested. Doing so adds an extra layer of security in the case of breach, and it limits direct provider access to your data. Here, too, the keys are easily managed. But the escrow model doesn’t really protect your data from the standpoint of an investigation or subpoena, which is at the heart of many regional data privacy concerns affecting global enterprises.

Secure? Yes. Private? Not really. Manageable? Yup.

Key Server Model

The keys to your data are stored on an on-premise server. On the positive side, it is very private and the cloud provider cannot access it. That means good security and great privacy. The drawback is that you are tasked with managing the server &emdash; so if it should ever fail internally, you have to fix it. In the worst case, when there’s irreversible damage (sadly, it does happen), it leaves you with no access or recoverability of your data. Also, wouldn’t having something on-premise to store and protect your keys undermine the purpose of implementing a cloud system?

Secure? Definitely. Private? Very much so. Manageable? There are better options.

Digital Envelope Encryption Model

Are you ready for this? With the Digital Envelope Encryption model your data is protected two-fold. First, a unique key is generated, encrypted, and turned into a token, which is then stored. This token can only be accessed by the administrator or end user providing his credentials as the complementary part to decrypt the stored token; and second, the data is also encrypted. In order to access the encrypted data, both parts of the equation need to work together to recreate the key, which only exists in that unique session. Since only the administrator or end user has access to that token, anyone who wants the data would have to go to him to get the first piece of the puzzle. Effectively, no one can access the data without your knowledge.

Secure? Yes. Private? Indeed. Manageable? Lots of visibility and control, so yes!

Need more security know-how? See our white paper, The Essential Security Checklist for Enterprise Endpoint Backup.

As with so many other things, the choice of an encryption model is based on the application and domain need. (Since we’re in the business of protecting your corporate data no-matter-what, we’d choose the most secure option even if it weren’t quite as manageable.) What criteria do you use for deciding which encryption model is appropriate for your own needs?

Video Transcript

Hi I’m Dave Packer with Druva and today we are going to talk about Druva’s unique approach to encryption utilizing our two factor encryption model. What I’m going to do is contrast this with some of the more common encryption models utilized by cloud service providers in doing so we are going to use three criteria, one is security, really how well is your data protected from unauthorized access?

The second one is the privacy which is really about if you think about things like the NSA, the prison program or new data being subpoenaed from a cloud provider, how easily accessible your data is and how it can be produced or handed over to a third party without your knowledge and thirdly is around manageability, How easy is it to manage this mechanism, manage the keys and so that you are not thinking about it on a constant basis and thinking about things like key rotation and expiration and things like that and so the first model that we see most commonly used is where your key is stored alongside your data and in doing so what happens is that key stored in the database when an end user authenticates they get the key now they can encrypt and decrypt data as it moves in and out of the cloud.

From a security stand point, the main challenge with this is one question we get from a lot of folks about kind of where are the keys stored is that if somebody breaches the system they might get access to all the keys and therefore all access to all the underlying data within the system. And so additionally what we say is that, this is okay for personal use of the way maybe less secure model of storing data but really not that great for an enterprise, and so we usually wouldn’t consider this one of the best security mechanisms to use for protecting enterprise data.

The second is around data privacy, and I think it’s pretty obvious with the way the key is stored and the way data is stored that if there was an investigation or the government wanted to access your data, or there was a legal subpoena for your data that that data could be divulged, and so we that this isn’t a very private mechanism and what we’ve also found in these implementations a lot of the times the service providers are actually scanning the data before it gets encrypted or when it’s un-encrypted or decrypted, and having visibility into it.

So what we say is from the manageability standpoint is actually works pretty well. The second evolution is really what we call key Escrow and this is where the key is stored in some type of a third party provider and when an end user authenticates the key is requested from the third party provider, it’s pulled over and now it’s utilized for encrypting and decrypting your data.

One of the advantages is that from overall security standpoint it adds in an extra layer of security so a data breach for example might not provide that access to that key, people won’t be able to then decrypt your information and get hold of it, so from a security standpoint, it’s fairly secure from a data privacy standpoint though it suffers from the same issue here.

Escrow doesn’t protect your data from the standpoint of an investigation or some type of litigation or request for your data. So it’s not really what we consider a very private solution, but from a manageability standpoint it is a good solution because the key is easily managed, you don’t have to think about it, and some of the other challenges around managing keys that some organizations deal with.

The third model that we see utilized a lot is utilizing a key server, and in this model what happens is the server is actually something that you bring on premise, inside your organization. It manages the keys and it offers a very high level of security because a breach of the cloud servers providers system they can’t get to the keys, it’s very private because beyond the cloud service provider, it doesn’t have the access to those keys and so there’s no way for them to access the data, so you got good security and definitely good privacy.

The challenges is at manageability standpoint when you have an on premise key server what that means is that now I have to manage it, I have to make sure that it’s backed up that it’s redundant that there are some type of failure. One of the challenges with key server model is that if that Key sever goes down, none of my employees now have access to their data any more.

So it creates a little bit of a fail point however, an organization though it does provide the security, and so a lot of organization will go, oh you know, I can do this I can manage it. But it does kind of undermine the whole purpose of having a cloud system which is to have all that information stored in the cloud as much as possible.

So Druva’s approach is what we call digital envelope encryption, or two factor encryption, it’s a little bit of a different model and the idea is how do we take the best of all these different models and mix them together in a way that allows you to have the most security, the best privacy and also the manageability that you really want out of these simpler models.

the way that we do this is pretty unique, what we do is when you create an account inside Druva is we generate a unique key for your data but we never store that key, actually, what we do is we encrypt that key using the admin or end user credentials and what that does is result in a token and that token is actually where it gets stored alongside the encrypted data cloud so that means your token’s encrypted, your data’s encrypted.

When you think about it from that standpoint it definitely delivers the security you want because there’s no way to access that data, all authorization is managed by the administrator and the end user’s access to that information. From a privacy standpoint we as Druva don’t have any access to that information we can’t take that key we unencrypt your data, we can’t hand it off to anybody, anybody who wants that data has to go directly through you, and so that’s a big advantage because that will make sure that you’re always in the loop about who has access and visibility to your data, so definitely from a visibility and privacy standpoint very strong. now from a manageability standpoint because of the way that we’re handling it and because we’re not using a key server model, you get the advantage of having that information and those keys managed the way that you want to and so it delivers that very simple model of key manageability, but also the security and privacy that you really want.

So the goal of digital envelope encryption is to really keep that data protected as much as possible and that’s why when we engage with a lot of large enterprises that traditionally have looked at kind of private cloud or stored data on premise they’ve gone towards this model because it gives them those advantages, it also allows them to have the efficiencies of Cloud storage but also the security and privacy they’re looking for.

So that gives you the general idea of the various key models and why we use our digital envelope encryption model for protecting data in the cloud. Do you have more questions? Or want to learn more about Druva? Go visit, and look through our resources section and you can find out lots of information about how we implement security and encryption to protect your data in the Cloud.