Encryption in Identity360

What is encryption?

Encryption is the process of securing data by converting it into a format that can only be understood by a specific audience. During this process, plain text is converted into non-readable ciphertext using specialized encryption algorithms. Encryption keys are used to encode and decode this text. These keys are unique and made available only to authorized parties, preventing loss of data due to data breaches.

Encryption of data can be based on two common data states:

• Encryption in transit: The data sent from the sender to the receiver is encrypted during transit using the Transport Layer Security (TLS) protocol, preventing man-in-the-middle attacks. Only the receiver holds the key to decrypt the data. In Identity360, communication with the integrated directories happens through HTTPS.
• Encryption at rest: While encryption in transit is necessary, an additional layer of defense is required since about 90 percent of today’s data is stored and dormant. Attackers find it more valuable to hack into stored data, so encryption at rest is critical.

Why must data be encrypted?

•  

  Security

  Encryption prevents data breaches when the data is at rest and in transit. In transit, encryption ensures secure transfer of sensitive information through enforced TLS, preventing man-in-the-middle attacks. In case of a lost or stolen device, if the stored data is encrypted, it is inaccessible even in the hands of attackers.

•  

  Privacy

  Most data transmission happens through emails and chats. Encryption ensures that the transferred data can only be read by the receiver and sender. This prevents cybercriminals, internet service providers, etc. from gaining access to sensitive data.

•  

  Authenticity

  Websites that are issued an SSL certificate can be trusted with exchanging sensitive data.

•  

  Regulations

  Regulations such as HIPAA, PCI DSS, and the GDPR require companies that handle customer information to keep that data encrypted.

Encryption at rest in Identity360

Data such as directory tokens and directory properties are encrypted at rest in Identity360 using the AES-256 algorithm. This algorithm has a key length of 256 bits, supports the largest bit size, and is practically unbreakable by brute force based on current computing power, making it the strongest encryption standard. Identity360 encrypts data using AES’s Cipher Block Chaining mode.

Keys are the means through which you can retrieve encrypted data. The key used to convert the data from plain text to ciphertext is called the data encryption key (DEK). The DEK is further encrypted using the key encryption key (KEK), adding another layer of security.

Data in Identity360 has three layers of protection:

• Encrypted data (ciphertext) is stored in the Identity360 database.
• Encrypted DEKs are stored in the key management system (KMS).
• Encrypted KEKs are stored in identity and access management servers.

Since the retrieval of data goes through three levels of security, data transmission in Identity360 is considerably more secure.

How is your data encrypted in Identity360?

1. Identity360 determines from the metadata whether to encrypt the field before storing it in the database.
2. Identity360 checks the cached memory for matching DEKs. If no matching DEKs are found, Identity360 requests a DEK from the KMS.
3. The KMS checks its database for a matching encrypted DEK.
   • If the matching encrypted DEK is found, the KMS decrypts the encrypted DEK and returns it to Identity360.
   • If no matching DEK is found, the KMS generates a DEK. This new DEK is encrypted with KEKs and stored in the KMS servers.
4. Identity360 receives the DEK, then encrypts/decrypts the data using 256-bit AES encryption.
5. The encrypted data is stored in the Identity360 database. The backed-up data stored in the backup database is also encrypted.

URL encryption

The invite links sent out to users via email may contain sensitive data in the URLs. To secure this communication, any part of the URL that’s identifiable is encrypted.

Learn more about encryption and our KMS.