By creating a security model focused on the data, the Virtru Data Protection Platform disrupts the decades-old network security paradigm to give data owners greater control. A combination of crypto, policy, and access management features provide robust protection that travels with data regardless of platform or system.
Done right, you’ll no longer need to trust the systems storing your data. With the Trusted Data Format (TDF) as the open format for data-level security protections, Virtru and TDF together enable a fundamental shift in security models. Instead of placing the numerous control requirements on any system storing your data, these same requirements are placed on the data so you can securely create or share data with specific access policies. Fundamentally, Virtru and the TDF together allow you to:
- Encrypt data to enforce policy.
- Let your data go anywhere.
- Grant or deny access inside and outside your environment.
- Audit access over time.
- Change policy as needed after dissemination.
Data remains protected not only within corporate sanctioned applications, but also as it travels across the range of platforms and services, including cloud-based apps and external partners.
Every object explicitly declares HOW it was encrypted, with what algorithms, key sizes, and modes. This enables maximum interoperability and future-proofing, to allow the application of the strongest crypto standards at any given time. As crypto standards evolve, it is easy to update and replace them without disrupting the underlying security model.
To protect confidentiality and integrity of data wherever it goes, TDF supports encryption of any size and type of payload (see TDF Overview for links to how the schema supports all scenarios) with support and use of the strongest encryption standards available.
Virtru apps and SDKs today implement the following symmetric algorithm and modes:
- AES-256-GCM (256-bit key Advanced Encryption Standard in Galois Counter Mode) (default)
- AES-256-CBC (256-bit key Advanced Encryption Standard in Cipher Block Chain) (deprecated)
Note: CBC is recommended for use only to read previously encrypted TDF objects.
Virtru apps and SDK universally implement RSA 2048 by default for maximum interoperability. Elliptic Curve Cryptography has been implemented, but deployed today in a limited fashion. If you have an interest in ECC-enabled TDF please reach out to our devs at email@example.com. We’d love to work with you.
The latest TDF allows for the inclusion of explicit data integrity metadata. This is designed in particular to support:
- Very large file encryption and decryption: segmentInfo can contain encryption information for parts of files, enabling large files to be encrypted in smaller chunks, with encryption metadata (including integrity) of each chunk being stored in this element. A parent hash strategy against the whole ensures that no segment can be removed or re-ordered.
- Streaming data integrity: similar to large files, per segment validation allows only some of a given file to be downloaded and still be able to validate its integrity. This is crucial for performant viewing of streamed and/or large content where integrity is required.
Track and evolve policies over time with granular access privileges and audit features, even after data dissemination.
Access control policy can be either embedded within a TDF as a cryptographically-bound object independent of payload or remotely managed. This can take the form of a TDF Assertion, with or without payload encryption. For encrypted payloads, policy can be cryptographically bond to the payload key via HMAC (see TDF spec for details).
Policies can be created in almost any fashion via a flexible Attribute-Based Access Control model. This can include the use of data attributes like classification or authorities, or basic access control lists like email addresses. Please see our SDK documentation for more details.
TDF protocol and infrastructure enables logging every key request for reliable auditing and tracking of access requests. This provides an unprecedented ability to track who accesses what data, at what time, and where. The data audit can not only track by person, but also by location and device. Data can be bound to groups and individuals as well as to devices and locations.
The capabilities above can be composed, in particular when using Virtru SAAS key management, to give you the ultimate ability to evolve policy over time in sync with changing needs or based on observed threats in particular as surfaced by audit.
Check out Virtru SDKs
Check out our SDK and start implementing this security model today.