We are pleased to announce the official release of CipherTrust Manager (CM) Version 2.18.0, and CipherTrust Cloud Key Management (CCKM) Version 2.18.0.
New Features and Enhancements
Below are highlights from this release. See the full Release Notes here.
CipherTrust Manager v2.18.0
Tech Preview: Support for CipherTrust Encryption – Confidential Compute Attestation.
CipherTrust Manager is delivering a technical preview of Confidential Computing Attestation for CipherTrust Transparent Encryption.
When an organization needs to migrate sensitive workloads to the cloud, such as personally identifiable information, trade secrets, financial data, intellectual property, datasets, AI models, or any valuable information, and reduce breaches outside their data center, they must protect this data by advanced encryption to safeguard its privacy and integrity before the data leaves its trusted data center or network. Therefore, the sensitive workload is initially encrypted at the enterprise end, within the data center, using the Thales CipherTrust Data Security Platform. The protected workload is now ready to be shared and migrated to the cloud.
When the organization needs its data executed at the Cloud Trusted Execution Environment (TEE) end, the workload is moved into a Thales CipherTrust Transparent Encryption agent that requests the attestation of this TEE to the Intel Trust Authority using CipherTrust Manager. This attestation process involves the TEE proving its integrity and security to the Intel Trust Authority. Once the attestation is performed and the integrity of the TEE is confirmed as per defined customer policies, CipherTrust Manager applies customer-defined data protection policies. This enables the execution of the customer workload inside the Confidential Computing Trusted Execution Environment by verification of the customer-defined policies for the hardware and software stack to enforce these policies and grants access to the workloads exclusively to authorized parties defined by the customer.
API Playground: ODC-Based Authentication.
The API Playground is an interactive environment for developers to experiment with and test the Application Programming Interfaces (APIs) in CipherTrust Manager. Prior to v2.18 accessing the API playground functionality required explicit authentication. Once authenticated, users could perform any operation. With CipherTrust Manager v2.18, users can access the API Playground pre-authenticated using OpenID Connect (OIDC). This change extends Multi-Factor Authentication to API playground improving security posture of user authentication.
Backups upload via SFTP.
CipherTrust Manager v2.18 adds the ability to upload backups using Secure File Transfer Protocol (SFTP). Users can now create new SFTP connections and convert existing Secure Copy Protocol (SCP) connections to SFTP. For organizations concerned about potential vulnerabilities using SCP, organizations can take advantage of the full-featured file transfer capabilities of SFTP. SCP was developed primarily to copy files between hosts. Being an older protocol, SCP has evolved over time via periodic updates. SFTP, however, was designed with a focus on security, allowing organizations the advantage of the request-response design that will enable clients and servers to verify each other’s actions.
Enhanced Visibility for Critical Alarms.
CipherTrust Manager v2.18 improves the visibility of critical alarms in the user interface by displaying a red banner at the top when a critical alert exists. This persistent red banner links directly to the list of critical alarms affecting the system’s functionality and availability, allowing you to take corrective action with a single click. Critical alarms include license violations, cluster node certification expirations, offline cluster nodes being down, disk full disk alarms, offline Hardware Security Modules (HSMs) offline, enabled deprecated TLS versions, enabled, KMIP debug logs unmask enabled, and disabled NAE TLS disabled.
CipherTrust Cloud Key Management v2.18.0
CipherTrust Cloud Key Management is releasing support for future versions of SAP Data Custodian.
CipherTrust Cloud Key Management, in partnership with SAP, now supports SAP key storage using the new AWS Keystore Connection option for Bring Your Own Key (BYOK) solutions. Deployed currently within the API this new support will future-proof CipherTrust Cloud Key Management to support new SAP Custodian capabilities on the horizon.
CipherTrust Cloud Key Management now supports the creation of the SAP Master/Primary Keys for BYOK.
CipherTrust Cloud Key Management v2.18 now allows organizations to create master or primary keys for SAP directly through CipherTrust Cloud Key Management for Bring Your Own Key (BYOK). Currently available within the API, CCKM will automatically make the metadata of the native master key available on the CCKM SAP console. This allows the organization to eliminate the cumbersome activity of transferring the master key role from an SAP native to a CCKM BYOK.
Configurable option for key expiration notification.
CipherTrust Cloud Key Management delivers higher levels of control for AWS and Azure keys by allowing organizations to be notified of expiration when necessary. Before CipherTrust CCKM v2.18, users were notified of the AWS and Azure key expiration 10 days before it occurred by default. Using the API, users can now define the number of days before expiration for which they wish to be notified. This allows users to configure their critical management notifications to align with their organization’s preferred or best practices. This optional key expiration notification can be set per domain.
New Support for Google Meet & Drive Guest Access.
We are pleased to announce support for Google Workspace Guest Access using Google workspace with Google Drive and Google Meet. This enhancement will help secure sharing of Docs, Sheets, Slides, and Files within Google Drive and Google Meet as you expand the reach of collaboration for your organization. Previously, encrypted content could only be shared within an organization’s domain using Google Workspace. With the latest Google Workspace update you can now securely share content with individuals outside of the organization.
CipherTrust Cloud Key Management v2.18 enables organizations to manage access controls against rules external to the Google Workspace for higher levels of protection. CCKM serves as the Key Access Control List (KACL) service providing the ability to add one or more identity providers (idP) for each Google Workspace Endpoint Key managed by CCKM. This directly aligns to Google Workspace’s recommended approach to providing external access to client-side encrypted content. Configuring an external guest identity provider (idP) allows access for users outside the Google domain and provides access to client-side encrypted content to both Google and non-Google accounts.
CipherTrust CCKM Named Member of the Google Trusted Partner Cloud.
CipherTrust CCKM is now a member of Google’s Trusted Partner Cloud (TPC), which is a program designed to address strict sovereignty requirements in Europe and APAC by building local, isolated clouds operated by jurisdiction-specific partners. TPC is in the early stages of development and is Cloud’s top priority.
API functionality moved to CipherTrust Cloud Key Management user interface.
Many functions for CCKM are made available and proven as functions within the API. These functions are then moved to the user interface (UI), below is a list of new UI support capabilities within CipherTrust Cloud Key Management (CCKM) v2.18:
- BYOK for Asymmetric & HMAC Key Types for AWS: Supports the visualization of AWS BYOK for Asymmetric and HMAC keys. With the new feature, users can now easily add an external BYOK for symmetric (AES 256, HMAC) or asymmetric keys (RSA, Elliptic Curve) within their AWS environment from the CipherTrust Cloud Key Management user interface. This simplifies the process of adding keys and streamlines operations.
- Key restore option when the key is not deleted for Azure: In the past, a user had to purge a key to restore it to another key store. CCKM v2.18 now allows users to restore a key that has not been deleted to another key store without purging the original key.
- Enable re-import of destroyed BYOK on Google Cloud Platform: Within Google, you can schedule the destruction of a key. Once the key is destroyed, you can no longer restore the key. Google has recently introduced a new feature that allows you to enable the re-import or restore of a destroyed BYOK. CCKM now supports this function through its user interface.