Cosmian Client-side Encryption
+Architecture - Attackers, Threats and Solutions
- Regain control of every byte of your data in the cloud, even during runtime. Cosmian brings a robust encryption for SaaS - applications, ensuring all data remains in the right hands, fortified with the latest advancements in post-quantum encryption. + The first step in understanding how to secure data and applications in a zero-trust environment is to look at potential attackers + and their threat model. We assume the application code is safe and that we do not need to protect against the software developer.
-Why use Cosmian Client-side Encryption?
+Protection against all attackers
- With minimal cipher expansion and latency, Cosmian’s encryption solution sets a new benchmark in enterprise-grade performance, - supporting even the most demanding production workloads. + Client-side encryption is the only ubiquitous solution that protects against all attackers because data is encrypted by the data + owner under its own key before it reaches any of these attackers. Enabling client-side encryption without loss of functionality + usually requires a modification to the application and the use of a few Cosmian products: Cosmian Covercrypt, Cosmian KMS and + possibly Cosmian VM and Cosmian Findex.
With Cosmian’s Client-side Encryption, data remains encrypted in transit, at rest, and even during runtime. This breakthrough in - data protection provides the highest assurance of data privacy and security. -
-Cosmian solution
-- Cosmian provides code blocks, libraries and tools that make using its technologies to implement client-side encryption easy. + data protection provides the highest assurance of data privacy and security. We providecode blocks, libraries and tools that make + using its technologies to implement client-side encryption easy. +
Protection against a reduced list of attackers
- With client-side encryption, content is encrypted from the customer's browser - or any API connector - before it is transmitted to - the cloud application servers. The customer manages the encryption keys in its Key Management Service (KMS). This approach - significantly reduces the attack surface, as the application and data layers within the zero-trust environment process only - encrypted data and have no clear text access to the decryption keys. + When the threat model is limited to a reduced list of attackers, other solutions may be used. The following table summarizes the + solutions that Cosmian provides to protect against each attacker.
State-of-the-art post-quantum encryption with embedded access policies
-
- To further enhance the security provided by application-level encryption, employing a robust encryption scheme like Covercrypt is
- crucial. Covercrypt mitigates the risks associated with key leakage from the presentation layer and addresses potential security
- risks such as rights escalation attacks and authorization misconfigurations.
- → Cosmian Covercrypt overview
-
Search encrypted data
-
- One of the drawbacks of using application-level encryption is that the storage layer cannot search for data, and most applications
- rely on search features for data extraction. This is because the search engine cannot decrypt the data and, therefore, cannot index
- it. To solve this issue, Cosmian provides Findex, a searchable encryption scheme that allows the building of encrypted indexes.
-
- → Cosmian Findex overview
-
Key distribution
-
- Using Cosmian's Key Management Service (Cosmian KMS) and Public Key Infrastructure (PKI), users can safely share their keys via the
- zero trust layer.
-
- → Cosmian PKI overview
-