Encryption Key Management

Overview

Encryption key management and security for Code42 Next-Gen DLP

Code42's priority is to ensure the security of our platform and customer data. We adhere to some of the most stringent industry security standards and requirements. Independent third parties regularly review and audit our software and enterprise business and production operations in order to ensure ongoing security and compliance.

Key management for file collection
An individual file archive is created in the Code42 Cloud for every user device protected by Code42 Next-Gen DLP. By default, each user is assigned a unique encryption key to protect all archives tied to his or her account. Upon initial login of a new device, an archive encryption key is generated. Only devices that are authenticated can create a key. Additional devices added to the same user account will obtain the user's existing archive encryption key from the Code42 Keystore. Once created or obtained, the key will securely persist on the device and in the key management system, Code42 Keystore, until it is deauthorized.

Code42 provides end-to-end data security:

  • Data is encrypted before transmission via AES 256-bit encryption
  • Data is transmitted from the source to the destination via AES 256-bit Transport Layer Security (TLS) encryption protocol
  • Data remains encrypted at rest via AES 256-bit encryption

Archive encryption key creation
An archive encryption key must exist on a system before file collection occurs. Typically, keys are created at the time of installation using the random key generation feature in the Code42 offering. Keys are created using a secure, random number generated from Oracle's Java Cryptography Extensions (JCE) framework. This framework is an audited, open-source implementation, proven to exceed industry standard practices. The customer can elect to provide a custom key.

How are keys stored?
Keys are held in the Code42 Keystore, which is a third-party key management system operated by Code42. The system ensures that encryption keys are stored separately from both customer data and the customer's Code42 authority. The authority is the central point of administration for the Code42 offering. It connects to directory services solutions and controls the provisioning of encryption keys for file archives. When an encryption key is created for a user account, a corresponding account is created in the Code42 Keystore. Users have their own unique account in Code42 Keystore and can only access their own keys.

Where are keys stored?
Encryption keys are stored within Code42 Keystore in the geographic region specified by the customer. The region in which keys are stored must also be the same region chosen for the Code42 authority. Currently, Code42 Keystore options are offered in both the United States and Europe.

When, why and by whom are keys accessed?
Code42 Keystore application credentials are only available to a limited group of Code42 employees. All access to Code42 Keystore is logged, monitored and reviewed, and is only available via a temporary, single-use token. Code42 Keystore application credentials are regenerated on a regular basis. There are two scenarios in which archive encryption keys may be accessed. Keys are accessed to perform backup and restore, and to perform required administrative functions of the Code42 Keystore.

USE CASE

File collection and recovery

  • Authorized users and customer administrators can perform actions with encryption keys for the purpose of backup and restore.
  • Encryption keys are processed within the Code42 offering. As a result, users never have direct access to keys.
  • Customer administrators, at their sole discretion, can grant members of the Code42 support team temporary access to perform the restore process on their behalf, or to respond to an escalated support issue.

In these instances, encryption keys are processed within the Code42 offering— meaning there is no direct access to the key. All actions related to Code42 Keystore access are logged, audited and monitored.

USE CASE

Administration of Code42 Keystore

  • Restart of the Code42 Keystore—such as for server reboot or troubleshooting— requires the system to be unlocked.
  • Application credentials must be entered in order to unlock the Code42 Keystore.
  • Once entered, application credentials are stored in the system memory to support standard product operation functions, such as backup and restore.

Code42 Keystore application credentials are only available to a limited group of Code42 employees. All access to Code42 Keystore is logged, monitored and reviewed, and is only available via a temporary, single-use token. Code42 Keystore application credentials are regenerated on a regular basis.

What security and access controls are in place to secure encryption keys?
Code42 is an ISO27001-certified organization and engages an independent third party to complete annual SOC 2 Type 2 audits. Additionally, Code42 performs specific control activities to monitor and validate the physical, environmental and operational security of its managed data center hosting providers, including reviewing third-party assurance reports (e.g. SOC 1, SOC 2, ISO 27001) for its cloud data centers.

The following controls are in place specific to encryption keys in a cloud deployment:

  • Access to Code42 Keystore is limited to a subset of Code42 Cloud administrators and is used for customer cloud support.
  • All key access is logged and monitored.
  • User access is monitored and reviewed on a quarterly basis.
  • Encryption keys are encrypted in transit and at rest.
CUSTOMER-MANAGED KEYSTORE FOR FILE COLLECTION AND RECOVERY

Code42 provides customers with the option to manage their own archive encryption keys in their desired location—whether in their data center, virtual environment or public cloud environment. Customers who elect to manage their own encryption keys are responsible for hosting, upgrading, managing, monitoring and patching their own instance of Code42 Keystore. In the event a customer no longer wants to maintain a private keystore instance, they can easily move their keystore back to Code42's managed instance. Talk to your Code42 Systems Engineer to learn more about customer-managed keystore.

Key management for file events and metadata
To perform monitoring and investigations, Code42 Next-Gen DLP also collects file metadata and stores it in the cloud for on-demand search and alerting. Metadata is encrypted in transit via AES 256-bit Transport Layer Security (TLS) encryption protocol. Metadata is also encrypted at rest in the Code42 Cloud using a Code42-managed key.

Every piece of file metadata collected by the Code42 app is tagged with the associated customer tenant. Administrators must first be assigned a role that provides them permission to access file events and metadata. Next, they must authenticate by logging into the Code42 admin console. The process of logging into the admin console identifies the associated customer tenant.

The ability to search and access metadata is scoped exclusively for a customer's tenant only. The following controls are in place specific to the Code42-managed key used for file events and metadata:

  • Access to the key management system is limited to a subset of Code42 Cloud administrators and is used for customer cloud support purposes.
  • All key access is logged and monitored.
  • User access is monitored and reviewed on a quarterly basis.
  • Encryption keys are encrypted in transit and at rest.

Want to learn more?

Contact Code42 to learn more about Next-Gen DLP.