Skip to main content

Zuora Platform Encryption Concepts


Zuora Platform Encryption Concepts

Defines the key concepts and functioning of Zuora Platform Encryption.

Zuora Platform Encryption

Zuora Platform Encryption allows you to encrypt sensitive data at rest within the Zuora ecosystem. This encryption ensures your data remains protected and unreadable despite attempts to gain unauthorized access. Our platform encryption is built on the envelope encryption model, a cryptographic technique that involves using multiple layers of encryption keys to secure data. The data is encrypted with a data key, which is then encrypted with a master key.

This model offers several advantages in terms of security and flexibility. 

Improved security
In the event of an attack, if the attacker gains access to the encrypted data, they would still need to decrypt the data key using the master key before decrypting the actual content. This adds an extra level of complexity to unauthorized access attempts.

Reduced impact of key changes and key rotation
Envelope encryption facilitates key rotation without having to re-encrypt the entire dataset. You can simply re-encrypt the data keys. This is particularly useful for complying with security best practices and regulations that recommend or mandate regular key rotation.

Auditability and Compliance

Envelope encryption can enhance auditability. Each data key can be associated with specific pieces of data or operations, allowing for detailed logging and auditing of key usage. This is valuable for compliance with regulatory requirements.

Envelope encryption is scalable, allowing you to encrypt large datasets efficiently. The use of data keys for individual pieces of data enables parallel processing and encryption, contributing to better performance and scalability

Envelope encryption

Encryption Key Management

Zuora platform encryption is an envelope encryption model that has 2 layers of encryption keys, a Data key and a Master key. The data is encrypted with a data key that is generated by Zuora and rotated every 90 days internally. This data key is then encrypted with a master key that is provided by you. This master key can either be BYOK encryption keys from AWS Key Management Service (KMS) or keys generated and managed within the Zuora UI.

Bring Your Own Keys (BYOK)

BYOK allows your organization to generate and manage your own cryptographic AWS keys, which are then brought to Zuora for encryption or decryption operations. The use of BYOK keys adds an extra layer of security, especially in scenarios where data protection is critical.You have control over the lifecycle of keys, including key generation, rotation, and revocation independent of Zuora.

This also enables you to implement customized security policies for key management based on your organization’s specific needs.BYOK grants the capability to secure encryption keys within designated geographical boundaries, enabling the storage of master keys in your preferred locations, while maintaining encrypted data integrity.

Zuora Managed Keys

If you do not have your own Key Management Service or infrastructure, you can leverage Zuora’s integration with industry-leading AWS Key Management Service (KMS) to enable seamless key management. Zuora Key Management Service acts as a middle tier between you and the AWS KMS service. Zuora KMS provides complete control over the entire lifecycle of cryptographic keys, including generation, rotation, revocation, and deletion.

Zuora Managed Keys offers several business values that contribute to enhanced security, compliance, and control over sensitive data. Zuora Protect provides an extra layer of security by ensuring that only authorized personnel within your organization have access to the keys.

How is Zuora Platform Encryption different from data masking?

Encryption in Zuora serves as a safeguard against unauthorized access to business data, preventing unauthorized users from utilizing the information. It is important to note that encryption does not function as a method to conceal data from authenticated users. Data visibility for authenticated users is solely controlled by user permissions.

Encryption at rest primarily pertains to logins and does not impact data visibility based on user permissions. In the context of Zuora's platform encryption, if a user possesses the authorization to access a specific set of data, they will be able to view that data, regardless of whether it is encrypted or not.