We’re excited to announce Worklytics support for encryption of customer work data using Customer-Managed Encryption Keys (CMEKs). We take customer data security very seriously and continually invest in approaches that enhance data protection and control.
What are Customer Managed Encryption Keys
CMEKs are a recent advance in cloud security, which allow enterprise customers to use cloud SaaS applications while maintaining data control comparable to that of an on-premises installation. CMEKs add an extra layer of encryption to Worklytics data storage to support advanced data security and governance policies.
Worklytics uses CMEKs to encrypt your work data such that it remains under your organization’s control at all times. Worklytics never stores these encryption keys; we must retrieve them from your Key Management Service (KMS) whenever we need to store or analyze your data.
All data stored by Worklytics is encrypted with 256-bit AES encryption at-rest, using Google’s and Worklytics’s keys. CMEKs provide an additional layer of AES256 encryption inside of these, which you can then think of as being “wrapped” by these additional keys.
Envelope encryption with customer-managed keys
A few important benefits of CMEKs:
- Effectively destroy Worklytics’ copy of your data at any time
- Extra-layer of protection if Worklytics environment is ever compromised
- Control of your data through a Key Management System, such as Amazon Web Services KMS, Google Cloud KMS, or Microsoft Azure Key Vault.
As you control your Key Management System (KMS), you can revoke Worklytics access to your data at any time. By destroying the master keys in your Key Management System (KMS), you can effectively delete your work data from our systems.
A malicious party with a copy of Worklytics’ data base, source code, and Google’s cloud encryption keys could still not read any of your data encrypted with your CMEKs.
Key management with Google Cloud KMS
Customers who opt to use the private cloud version of Worklytics now have the option to set-up Customer-Managed Encryption Keys. Contact support to configure your deployment.