Every day, numerous attacker profiles can target your data:
- Cybercriminals who steal units of data, either directly or remotely through social engineering, ransomware, etc.
- Attackers who intercept network traffic using “man-in-the-middle” (MITM) techniques.
- Malicious infrastructure administrators who spy on what’s happening in server memory, storage arrays, and on the network.
- Malicious system administrators who can do the above spying and even inject malware into the OS.
- And faulty application managers who try to access data, for example, through privilege escalation.
Disk encryption, database encryption, and network traffic encryption can effectively protect against the first two types of attackers, and properly used, confidential computing can help counter infrastructure administrators’ attempts. However, it’s still difficult to protect against system administrators and application managers who are malicious actors, especially in the context of SaaS applications, where these two types of profiles are not company employees.
The only way to protect against all these potential attackers is to encrypt data on the client side, i.e., client-side encryption. This solution is recommended by the CNIL (Commission nationale de l’informatique et des libertés). CNIL recently published two practical guides on encryption and data security. This could quickly become the new standard, as the US government now requires the current administration (and recommends to large companies) to manage their own data encryption, no longer leaving it to third-party infrastructure managers.
Google is adopting client-side encryption
When a company opts for Google Workspace, Google de facto becomes the manager of the applications, systems, and infrastructures. The only way to ensure that data are protected is to encrypt data on the client side. Google has actively embraced this method, enabling client-side encryption in online services, including Google Docs, Sheets, Slides, Meet, and several others.
Our Key Management Service (KMS) protects the client’s encryption key so that Google cannot access it. Ours is the only KMS that can decode the client key, allowing their web browser to decrypt data stored with Google. This KMS can be installed on-premise or in the cloud. It runs in a confidential virtual machine, providing a high level of protection. It should be noted that since the data are encrypted, some functionalities will no longer be available, such as document summaries and automatic translations. To combat this, we will soon offer encrypted virtual machines on Google’s marketplace to restore some of these functionalities.
In addition to KMS updates, our hyperscalers are starting to deploy client-side encryption functionalities. This means that, for example, once Microsoft integrates client-side encryption into its Office 365 suite, we will offer our unique Cosmian solutions on their marketplace.
The next step is client-side encryption applied to business applications. Companies can rely on Cosmian to offer deployable stacks everywhere, for web browsers, mobile terminals, etc., all with interesting properties, including post-quantum encryption, the ability to index encrypted data, and more.
Need more information? Have a demo request? Book a meeting or contact [email protected]
Interactive tutorial: How to implement Client-side Encryption with Cosmian
How to encrypt client-side or at the application level
Article in French: Bruno Grieder, CTO Cosmian, explains why cryptographic agility is key for stronger data protection