Brendan Diaz
According to the March 2020 ITAR encryption addendum, ITAR regulated data stored or transmitted in the cloud must be “end-to-end encrypted” (E2EE). Additionally, ITAR regulations state that "The means of decryption are not provided to any third party."
In order to properly satisfy this rule, ITAR compliant E2E encryption requires that the keys used for encryption and decryption be stored locally on the endpoints, not on a server or a key management system.
What does this mean for you? Like, specifically...
Well, to put it bluntly, if you are using a traditional file storage, collaboration, or messaging application (one that relies on “in-transit + at-rest” encryption), you are in pretty flagrant violation of core ITAR requirements. Oh, and even systems that offer enterprise key management (EKM) integration / support don't meet the muster.
But what's the difference between E2E encrypted systems and systems that offer both in-transit and at-rest encryption for data? Let's discuss...
With in-transit + at-rest encryption the means of decryption are provided to intermediary servers, effectively breaking E2EE and introducing security vulnerabilities, single points of failure for mass data breaches, insider threats and more.
In-Transit + At-Rest Encryption
When encrypting data in-transit (ex. SSL or TLS), data is encrypted between an endpoint and a server; upon reaching the server, that data is necessarily decrypted. The server may then re-encrypt the data “at-rest,” but this is almost useless because the server necessarily has the decryption key. Similarly, with an enterprise key management system (EKM), in order for the encryption and decryption to take place on the server, the keys must be shared with the server (even if only temporarily).
Inherent to the concept of server-side encryption, these keys could be retrieved by a determined attacker or a malicious insider. With this type of encryption architecture, the data is fundamentally not end-to-end encrypted between the endpoints, introducing both security vulnerabilities and non-compliance with the ITAR encryption regulation.
End-to-End Encryption
Conversely, with E2EE, the encryption and decryption keys never leave the endpoints. Any servers or cloud infrastructure used to store and relay data functionally operate as "dumb" switchboards, routing data from one location to another without ever having access to the keys nor the means to decrypt data.
HighSide: ITAR Compliant End-to-End Encryption
With HighSide, all messages and files that flow through the applications and server infrastructure are 100% E2EE from the originator to the recipient.
This means that all encryption and decryption takes place on the endpoints.
In order to encrypt and decrypt data locally, HighSide's cryptographically unique encryption keys are generated and stored on the device, never sent or shared with our server or available to admins or external key management systems. In effect, HighSide's ITAR compliant file-sharing & collaboration system is zero trust.
If you want to dig in deeper on this topic, take a gander at the "comprehensive" white-paper on HighSide's E2E encryption protocol, or dig into the the “HighSide's Distributed Private Root of Trust Cryptography Explained” blog post.