Virtru Data Protection Platform
With the Virtru Data Protection Platform, you can quickly integrate security and privacy for any data type—such as files, emails, structured or unstructured data—produced or consumed by your applications and connected devices. Whether you are building web or mobile applications, IoT or ML projects, sensitive data can be encrypted and protected even when disseminated into untrusted environments.
Creating TDFs with the Virtru SDK
The Trusted Data Format (TDF) serves as the foundation for the Virtru Data Protection Platform, which simplifies data-level protection across systems and data types. Importantly, data owners maintain the ability to revoke, audit, and track the data even after it leaves their system. The Virtru SDK makes it easy to create TDFs and is interoperable across environments—including multi-cloud environments—so there are no vendor lock-in or infrastructure constraints.
Step 1: Protect
In a few lines of code, developers can use the Virtru SDK to encrypt any data using the TDF format within an application or as it leaves their application. TDF cryptographically binds together:
- The payload (data to be encrypted)
- Encryption keys (per object)
- Access control policy
Importantly, TDF and the Virtru SDK allow developers to configure the access policy on the data as they wish. This can be based on any range of criteria, such as users, group membership, time, etc.
Step 2: Send Protected Data and Persist Protections
The data is now “self protecting” so you can send it anywhere. With the TDF protective wrapper traveling with the data, the data basically self protects by persisting encryption with the data wherever it goes.
Step 3: Audit Data Access
Authenticated systems / individuals will be requesting access over time. With each access request, new entries appear on the audit log. For instance, if you allowed re-sharing, this will appear in the audit logs and dashboard. If unauthorized access is attempted, the audit logs will show that as well. The audit log provides persistent insights into who accesses, or attempts to access, the data - where, when, and over time.
Step 4: Evolve Access Policies over Time
TDF and Virtru allow access policy changes over time, including by individuals, devices, or by geography, as your requirements change. Revocation is the most dramatic and impactful control, and visually demonstrates your full data control capabilities.
How It Fits Together: Architecture Diagram
The architecture diagram below details how the SDKs, Key Management Infrastructure, Policy Management dashboard and the Trusted Data Format (TDF) combine to help you customize security and privacy into your applications.
The Trusted Data Format
As mentioned above, TDF provides the foundation for the entire Virtru Data Protection Platform. Created by Virtru Co-Founder and CTO, Will Ackerly, TDF is an open data format that provides a protective wrapper that travels with data. When invoked, Virtru SDKs ensure that all your objects (files, emails, etc) are encrypted, policy bound and persist as Trusted Data Format files. Once your objects are in TDF format, they can be shared or stored freely by your application. See our TDF overview to dive deeper into how it works.
Virtru SDKs
The Virtru SDK helps developers create TDFs within existing systems so organizations can reap the benefits of data protection and secure sharing. The Virtru SDK facilitates key management and access policies, including multiple access policies within specific files and retrieving user entitlements through streamlined communication with the policy server. Policy management is no longer the enemy but becomes simplified and evolves as access privileges evolve over time. Users can apply multiple classifications and access policies within a specific file, ensuring recipients can only view the portions that adhere to their access privileges.
Virtru's client SDKs are embedded into your applications and do all the heavy lifting. They expose simple encryption and decryption interfaces to integrate security and privacy into your applications. The Virtru SDK is currently available in Javascript, C++,, and Python, with additional languages coming soon. With minimal memory footprint, Virtru's SDKs are extremely scalable and won’t slow you down.
Digital Policy Management Dashboard
Virtru Dashboard is an administrative dashboard that allows admins to set, enforce, audit and revoke all key access requests, and thus all data requests. Admins also use this dashboard to define policies, manage users and revoke access.
Virtru Key Management Infrastructure
Virtru SDKs use Virtru's Key Management Infrastructure by default. Virtru's Key Management Infrastructure is based on Attribute-Based Access Controls (ABAC) and contains services necessary to host, secure, and control the access of the encryption keys. The Virtru Key and Policy Management Infrastructure stores and retrieves keys as well as the policies associated with the keys. This highly scalable and secure infrastructure acts as a backend for KAS.
Key Access Server (KAS) and Management Infrastructure
The KAS acts as a Policy Decision Point (PDP). KAS decides whether an entity has the privilege to decrypt an object—like a file or email—or not. KAS makes this decision based on both an object’s access requirements as well as user privileges. If the user meets the access requirements, the decryption key is returned to the client. If not, access is denied.
Entity Attribute Server (EAS)
EAS provides Identity Management services and returns the attributes associated with an authenticated user. These attributes are used by KAS to make key access decisions. EAS supports Federated Identities, thus ensuring that customers can apply their pre-existing identities (and attributes).
Identity Federation
Virtru SDKs integrate existing identity standards such as OpenId, OAuth, and SAML, for user authentication. There is no need to recreate identity standards, expediting authentication and allowing you to work within your preferred identity standard. Our federated identity management simplifies authentication while maintaining the granular access controls to optimize security and privacy and prevent unauthorized data access.