This article will provide you with an overview of per tenant encryption. This includes keys managed by Ironclad, BYOK, and HYOK.
Per Tenant Encryption is a security model that ensures each tenant's data is encrypted with a unique encryption key. This approach ensures that only the specific tenant can decrypt their data, significantly reducing the risk of unauthorized access and enhancing overall data privacy and protection.
Ironclad, in partnership with Antimatter, has built the Per Tenant Encryption feature as part of the Security and Data Pro add-on. This is an additional security feature that ensures each tenant's contracts within their instance are encrypted with a unique key. Ironclad customers have the option to generate, manage, and control their encryption keys and then use these keys to encrypt data stored or processed by third-party cloud service providers.
There are 3 different encryption management options for Ironclad customers:
- Key managed by Ironclad / Antimatter
- Bring Your Own Key (BYOK)
- Hold Your Own Key (HYOK)
By default, Ironclad manages the encryption key, allowing Ironclad customers to benefit from enhanced security with minimal additional effort.
With BYOK, you will have the ability to have a unique root encryption key for their organization, bring your own encryption key, and rotate the key as needed.
With HYOK you will get all the functionality with BYOK, but you get to hold and store the root key in your own public cloud environment.
Should I use BYOK?
- You want more control of the root encryption key and your data.
- You have very sensitive contracts.
- You work in a highly-regulated industry.
- You are a government contractors or your entities require higher security.
What are the benefits of BYOK/HYOK?
- Key Ownership: With BYOK, your organization retains ownership of the encryption keys. This means you are responsible for generating, storing, and managing the keys, as well as controlling access to them.
- Third-Party Cloud Services: BYOK is typically used in conjunction with cloud services provided by external vendors. These cloud services may include data storage, database services, file sharing, and more.
- Enhanced Security: BYOK is often adopted by organizations that require a higher level of control and security over their data. It allows them to ensure that data is encrypted with keys they control, reducing the risk of unauthorized access or data breaches.
- Data Security: With BYOK, your data is encrypted using your keys before it is sent to the cloud service provider's servers. This means that the cloud provider cannot access the plaintext data without your keys.
- Regulatory Compliance: BYOK can help you comply with regulatory requirements related to data protection and privacy. It provides a way to demonstrate control over encryption keys, which is often a requirement in various data protection regulations.
- Key Rotation: You can manage key rotation and lifecycle management as per their security policies. You can rotate keys periodically to enhance security.
- Data Portability: BYOK can facilitate data portability. If you decide to move data from one cloud service provider to another, you can take your encryption keys with you, ensuring you can decrypt your data in the new environment.