We are proud to announce the successful completion of the Encryption Key Management System (KMS) Assessment project conducted by SecureIT, a leading cybersecurity and risk audit firm.
This assessment follows the comprehensive secure code review project that Afi announced last week. SecureIT leveraged the analysis from the source code review project to zero in on Afi data encryption mechanisms and key management infrastructure.
The successful completion of this project is a significant milestone for us, providing both Afi and our customers with additional independent validation of our data protection controls.
What Is a KMS Assessment?
The goal of the Encryption Key Management System Assessment project was to evaluate Afi encryption implementation and encryption key management infrastructure.
During the KMS assessment, SecureIT manually reviewed Afi source code and infrastructure, identifying vulnerabilities in the Key Management System (KMS) implementation and assessing risks related to encryption key exposure, unauthorized access, and potential data breaches.
In addition to analyzing encryption configuration and infrastructure SecureIT conducted an analysis of encrypted file samples to validate cryptographic properties of encrypted data.
How Is It Related to Afi Secure Code Review?
During the the Secure Code Review – which was completed earlier – Secure IT analyzed Afi source code, encompassing all significant components of the application. The code review involved a manual assessment of potential weaknesses within the source code and the presence of adequate information security controls within the application.
SecureIT used results from the code review project to conduct this KMS assessment, specifically focusing potential weaknesses and vulnerabilities with respect to data encryption, confidentiality and integrity.
Project Results and Report
SecureIT’s examination of Afi encryption KMS did not identify any misconfigurations or weaknesses in encryption that an attacker can target or exploit. The assessment confirmed Afi's sound approach to data protection.
SecureIT noted Afi’s well-architected cloud infrastructure design, providing recommendations to further enhance the architecture. It also confirmed Afi’s implementation of multi-layered encryption approach, with encryption keys stored securely, ensuring the confidentiality and integrity of sensitive data.
Description of Afi layered encryption approach
- Every backup tenant has its own tenant encryption key created during onboarding. The tenant key is stored in a database (DB) encrypted using an external KMS.
- The tenant key and never leaves the secret-manager, ensuring that the tenant key remains protected.
- Afi also supports Bring-Your-Own-Key (BYOK) capabilities, enabling customers to use their own KMS provider (including AWS and Azure KMS). Backup archives (groups of resources that belong to one tenant) are also encrypted using a per-archive archive key. The use of the archive key enhances data security by isolating the encryption keys for individual archives.
- The data key is encrypted by the archive key which in turn is encrypted by the tenant key. This layered encryption approach ensures that sensitive data is well-protected and requires the appropriate keys for decryption.
The assessor also examined the key storage and rotation mechanisms, protecting encryption keys from unauthorized access and potential compromises.
The KMS Assessment report, along with the Secure Code Review report, is available for existing Afi customers and potential customers upon request.