Move workloads with privacy-regulated data to the AWS platform with Fortanix Data Security Manager (DSM). DSM is a centralized key manager to create, store, and track your encryption keys separately from the data in the cloud. Fortanix DSM as an external key manager helps organizations with security and privacy regulations such as the GDPR and Schrems II.
Overview
Regulations like the Schrems II ruling and the GDPR require organizations to ensure PII data from citizens in the European Economic Area (EEA) remains within these borders. This data must be protected using state-of-the-art encryption, and the encryption keys must be in the sole custody of the data importer. In addition these regulations require the ability to revoke data access at any time, and to segregate encryption keys from data on the cloud. An external key store—sometimes called a Bring-Your-Own-Key-Management-System (BYOKMS)—introduces an extra encryption layer to give organizations full custody of their keys. With Fortanix DSM, organizations can centrally manage the key lifecycle, and enforce granular access control and comprehensive logs to simplify the auditing process.
Fortanix Solution
Fortanix DSM functions as an AWS external key store to enable organizations to move the data to the cloud with the highest level of security and control for their keys. Encryption keys are under complete customer control and secured by FIPS 140-2 level 3 certified HSMs, segregated from the cloud data. Fortanix DSM users get a centralized solution to get control of the lifecycle of their keys, no matter if they are used on-premises, or in the cloud. Because Fortanix DSM users have sole key custody, neither Fortanix nor AWS can enable access to the protected data, not even when a government subpoena is issued, for example through the CLOUD act.
Key Features and Benefits
GDPR/Schrems II Compliance
Multicloud KMS Simplicity
Complete Customer Control
Automated Key Management
Secure and Flexible Deployment
How Does AWS External Key Store with Fortanix DSM Work?
As shown in the diagram below, XKS allows AWS KMS to use external, customer-managed Root Keys, which increases the customer’s control of their key management and data protection initiatives.
The customer’s Root Keys are generated, protected, and used wholly within Fortanix DSM. AWS KMS calls DSM to unwrap Data Encryption Keys (DEKs) for use by the AWS services it supports. DSM enforces granular access control and key usage policies. DEKs protected by an XKS are doubly enveloped (encrypted): once by KMS, and once by DSM. Every time the key is used by a KMS client, KMS requests Fortanix DSM to open the blue envelope and we send the gray envelope back to them to decrypt. This way, Fortanix never sees the customer’s keys.