Enable Customers to use their own encryption Keys on Citrix-managed StorageZone
ShareFile provides customers with flexibility in storing content through our StorageZones architecture. Customers have always had the choice between hosting content entirely in the cloud via a Citrix-Managed StorageZone or in their own data centers using Customer-Managed StorageZones. Some customers also adopt a hybrid approach leveraging best of both worlds. Some primary factors considered when deciding which option to use are performance (proximity to primary user base), compliance/regulatory or geographic specific needs.
Storing data in the cloud always comes with security concerns for the customer. While customers have complete control over how they protect their data on-premises, they typically have to rely on the cloud service provider for implementing security controls over their data. Primary among them is encryption. In the past, customers have had no way of managing their own encryption on data they stored in the cloud.
Now with customer-managed encryption key support, users get greater flexibility and security in managing their own encryption keys when storing their files in the cloud. ShareFile leverages Amazon’s Key Management Service (KMS) to deliver control directly to the customer, where they manage their own encryption keys and control ShareFile’s access to those keys. This eliminates the risk of a service provider having access to a customer’s files.
What is Amazon KMS?
Amazon KMS uses two kinds of keys to secure content: Master and Data Keys. An Amazon KMS customer will have a single master key that can be used to encrypt or decrypt data but more importantly, it’s used to generate/protect data keys. KMS master keys are only used to generate and protect data keys while the data keys are also generated by Amazon and used to encrypt the data files being uploaded.
A master key is stored securely within a customer’s Amazon KMS account and never exported outside of that environment. In contrast, a data key can be generated and exported outside of the KMS environment.
So how does all of this work?
Here’s what happens when a file is uploaded to ShareFile:
- The customer initiates a request to upload a file to their Citrix-Managed StorageZone
- ShareFile initiates a conversation with Amazon KMS associated with the customer’s KMS Account. Requesting a data key that can be used to encrypt the file
- Amazon KMS generates the plain text data key and the encrypted copy, returning both to ShareFile
- ShareFile encrypts the customer’s file using the plain text key and discards the plaintext key. The encrypted copy of the key and the encrypted customer file are then stored in ShareFile
And here’s what happens during download:
- The client initiates a download of a file secured via a KMS encryption key. ShareFile retrieves the encrypted file and the associated encrypted data key.
- ShareFile initiates a conversation with Amazon KMS and sends the encrypted data key to KMS
- Amazon KMS locates the master key associated with the KMS customer, decrypts the data key and returns the plain text data key back to ShareFile
- ShareFile now decrypts the file using the plain text copy of the key. The plain text copy of the key is discarded and the requested file is returned to the client initiating the download request.
As you can see, the reliance on securing data is heavily dependent on the customer’s Master key. At any point, the customer can revoke ShareFile’s access to their Master Key. Once access has been revoked it would make all the data secured using data keys tied to that master key inaccessible.
Amazon KMS can also be leveraged to address compliance requirements. For example, periodic key rotation by enabling key rotation for the Amazon Customer Master Key (CMK). A backing key will be created for each key rotation. New data will be encrypted using the latest backing key and Amazon KMS will automatically determine the right version of the backing key when decrypting data.
Currently, this security feature is supported for cloud storage zones only. If an environment is on a customer-managed StorageZone, the control over encryption keys is already within the customer’s domain. When using this option, customers can either encrypt their data using the StorageZones controller’s AES-256 encryption standard, or leverage encryption services of the destination CIFS repository where the data is stored. Once the feature is enabled and configured for a ShareFile account, only new uploads of files and versions will be able to take advantage of this feature. Files uploaded previously will not be automatically re-encrypted with Amazon KMS.