Introducing Enterprise Controlled Encryption: Empowering Customers with Control Over Their Data

At Verkada, we're focused on delivering cutting-edge security products that not only protect customer data but also empower customers to manage it on their terms. Today, we're excited to announce an exciting new feature that transforms how our customers secure and control their video data: Enterprise Controlled Encryption (ECE). With ECE, we’re taking data security to the next level by putting the encryption and decryption processes directly in the hands of our customers. ECE is more than just a feature–it’s a commitment to safeguarding customer data and empowering customers to take control over their data security.

What is Enterprise Controlled Encryption and how does it differ from Verkada's existing data protections?

Verkada has always prioritized data security with encryption both at rest and in transit. Data is protected, in other words, whether it's stored on a camera, on Verkada cloud servers, or when transmitted between the two. ECE adds an even stronger layer of protection by giving the customer control over the keys to decrypt data on their own devices. In order to decrypt data, an attacker would have to access both the data from Verkada and the key from the customer, making successful intrusion significantly more complex.

Let’s illustrate the difference between encryption at rest and in transit and ECE with an analogy: imagine a retail store owner (the Verkada customer) uses an armored truck service (Verkada) to transport a bag of cash (video data) between the store (the Verkada camera) and a nearby bank (Verkada cloud servers). The cash is stored securely in the retail store’s safe (data encryption at rest on camera), protected during transit in the armored truck (data encryption in transit), and once it arrives at the bank, it is secured in a vault (data encryption at rest in cloud). 

Imagine now that the store owner places the cash in a secure lockbox inside the armored truck and only the store owner holds the key to this lockbox (the benefits of ECE). Throughout the entire transit process—from the store to the bank—no one, not the armored truck driver, or the bank (Verkada), can access the contents of the lockbox because they don’t have the lockbox key. Only the owner (the customer) has the key, and only the owner can access or decide who can access the content (video data).

To summarize:

1. Encryption at rest: data is encrypted and protected while stored on a camera or in the cloud.

2. Encryption in transit: data is encrypted when sent between devices or sent between the cloud and devices.

3. ECE: Combines encryption at rest and in transit with the added layer of a client-side encryption key–helping ensure that only authorized users and devices can access data. It is also important to note that ECE is currently an opt-in feature; whereas, encryption at rest and in transit are enabled by default.

How Does Enterprise Controlled Encryption Work?

ECE performs a layer of decryption directly on customers’ devices, instead of solely relying on our servers. This decentralized approach gives the customer control over their decryption keys. Leveraging a well-recognized technique called client-side encryption, ECE ensures that the encryption and decryption of video data is controlled by the customer's devices, including their Verkada cameras and client devices where users access Command (e.g., phone, tablet, computer). The technology underpinning ECE instructs cameras to follow a data encryption procedure which specifies how video data should be encrypted. With ECE, both live and historical video that is processed through our cloud is encrypted with a key that Verkada does not possess. [1] ECE’s benefits are provided on top of our standard encryption at rest and in transit.

With ECE, decryption also requires access to two keys: one stored on Verkada servers and the other with the customer’s identity provider (e.g., Okta, Microsoft Entra ID, etc.) Both keys are required to decrypt video history. This process adds an additional layer of protection in the event of a security breach at either the identity provider or Verkada: as long as one key remains secret, the customer’s data remains secure. ECE is, in short, an enhanced and robust security method for data storage and transfer, combining the existing secure decryption step on Verkada's servers with a second step on the customer's own devices.

Conclusion

ECE gives customers control of their encryption keys, adding an extra layer of security and control through client-side encryption. Using two sources of keys for video data via ECE adds a new hurdle for attackers, keeping data secure against additional threats. Customers can also leverage pre-built identity provider integrations for seamless deployment of ECE within their organization, maximizing the impact while minimizing friction. Our customers gain a powerful new level of security and control with ECE. 

Ready to learn more? 

Check out our one-sheeter overview and FAQ to learn more about ECE. ECE will be available to customers beginning on October 3, 2024. To get a personalized demo or free trial, contact your Verkada sales representative or email [email protected].

Footnotes:

[1] In order to deliver certain features and analytics that require cloud processing, however, Verkada requires limited, temporary access to recent video from customers’ devices. ECE still controls what specific access is granted.