Skip to content

Overview

Grizzly allows developers to encrypt data anywhere. It manages rotating the keys, matching keys to the encrypted data, segregating keys into KeyRings, role based access controls on who can encrypt/decrpyt, an audit trail of all actions, and much more. It supports Governance and Compliance initiaitives by tracking who performed the encryption/decryption on any Asset - even on third party systems. All keys generated by the platform are encrypted with the public Key of an RSA (4096-bit) Key Pair that is provided by the customer. The customer always owns the keys generated by the platform.

Why Don't We See More Widespread Adoption of Encrypted Data?

Typically, adding encryption to workflows brings many challenges. Developers must choose:

  • How to store their keys
  • When to rotate their keys
  • How to to match keys with encrypted data in order to decrypt the data - even when keys have been rotated.
  • How to stay up-to-date with best practices
  • How to track when the data has been encrypted/decrypted and by whom

Grizzly manages each of these points for you - so you can focus on building a strong compliance posture.

How Does Grizzly Help with a Strong Compliance Posture?

KeyRings allow an organization to isolate encryption key usage by team, service, geo-location, or by any metric. Access to the KeyRings can be assigned through our RBAC controls, like API Keys, and usage is tracked, monitored and stored by the platform. You can track which machine, user, service, location, team, or a potential threat actor has been viewing your data - even when it is outside your organization.

If an incident does occur, an audit trail is available to prove who had access to what, and the actions they took on it.

How is all of this Achieved?

We introduce a few concepts to make this happen:

  • KeyRings
  • Accounts
  • API Keys
  • Activity Feed

Let’s dive into each of these.

KeyRings

KeyRings house the Keys that are used for encryption and decryption. They are also responsible for rotating the Keys; monitoring each key's usage to ensure best practices when working with encryption keys. They also allow users to segregate their data in any way that works best for them. Some examples include a KeyRing for each team, service, region, 3rd party vendor, etc. Each KeyRing can be designated to any purpose you’d like. KeyRings are named, so you can keep track of their intended purpose.

Each KeyRing has only one active Key at a time. When a Key is requested from the KeyRing, this is the one that is returned. Unique cryptographic material, like IVs, are generated for each request, and guaranteed to be unique. Keys are never stored in plain text, but are stored encrypted with the Public Key associated with the KeyRing. All Key management implements best practices, and is routinely updated as needed; freeing the organization of this burden.

Accounts

Assigning ownership and access to KeyRings is done through Accounts. An Account can references anything: a person, a team, a service, a third party downstream data processor, a pencil... anything. Accounts own API Keys, through which all of their actions are recorded as part of the Activity Feed.

API Keys

API Keys allow access to a KeyRing, and are tied to Accounts. Each API Key has a set of entitlements that allow various levels of access to the KeyRings. For example, if you’ve created a KeyRing for a team, you would create an API Key for each user on that team, and designate their level of access. You can give managers full read/write permissions, while giving auditors read only access. Keys can be disabled at any time.

Activity Feed

The Activity feed tracks all actions taken by Accounts. Activities include the KeyRing, Account, action taken, whether or not the action was successful, timestamps, and Assets. Any data can be passed along with a request to track its unique signature. This data helps organizations prove they are in compliance, investigate cybersecurity incidents, build chain-of-custody workflows, or any task that requires historical data.

Customer Managed Keys

One feature that is introduced with the KeyRings is the ability for the customer to manage their own Keys. Every KeyRing is supplied with a Public Key, from an RSA Asymmetric Key Pair, that is used to encrypt all Keys generated from a KeyRing. We provide a solution for customers to manage these Key Pairs, but customers can manage them any way they like. They could destroy a Key Pair, which would ensure that no data can be decrypted from that KeyRing ever again. Cutomers could require third party data processors to encrypt data on their behalf, giving the customer full control, and an audit trail, over encrypted data in external systems.