Data Encryption and Key Management

Data Encryption – In Transit

All the data that is hosted and transferred through the FusionFabric.cloud platform is encrypted during transmission. Data is encrypted in transit right from the source and throughout its life cycle. The encryption is based on secure protocols (at least TLS 1.2 or equivalent) configured with strong ciphers aim to achieve the confidentiality and authenticity of the data in transmission. The cryptographic keys and certificates used for establishing secure connections are only accepted from trusted sources. In addition, all the non-production environments such as testing and dev environments maintain the same level of encryption as the production environments.

Data Encryption – At Rest

All the data hosted on FusionFabric.cloud is encrypted, by default, at the storage and database level. The keys used for encryption are stored in the Azure Key Vaults with only service principals having access to the specific keys in the key vault for encryption/decryption purposes. In addition, restricted data is encrypted at field-level. For the data share feature, we have implemented zero-trust encryption, which allows no identity (service principal or individual) in Finastra to decrypt the data encrypted at field-level.

Key Management

All the cryptographic keys used for encryption within FusionFabric.cloud are generated, stored and managed in the Azure Key Vault instances. The minimum recommended lengths for AES and RSA cipher keys are 256 bits and 2048 bits respectively. Our key management practices do not allow human users to view plaintext symmetric and asymmetric private keys. Access to the Azure Key Vaults is restricted at the network level and uses strict IAM policies. All access events are monitored. Alerts are generated for any anomalous activity.

Zero-trust encryption at the field-level makes use of individual keys to encrypt each field type within a dataset. All the field-level data encryption keys are derived using PBKDF2 with parameters recommended as in NIST SP 800-132.

Entitlements

The authorization policy for each key is clearly defined and enforced when the keys are accessed. Each key has an identifiable owner. The identity of the owner is established through either the in-house identity provider (for internal services) or brokering via the FusionFabric.cloud Login API.

Key Generation

The keys generated for all cryptographic operations follow Finastra’s internal key management standard which draws the best practices from the NIST standard 800-57. We implement NIST approved algorithms when the keys are generated either pseudo-randomly or derived from secrets. Each tenant onboarded onto the platform has the capability to generate a unique key that is specific to the tenant.

Key Storage & Access

All the cryptographic keys used for data encryption and session establishment are stored in the Azure Key Vault. Access to the Key Vault is provided only to the service principals to access the keys for encryption or decryption. Key management activities like generation, rotation, versioning, deleting are also performed by the service principals. Individuals in the operations team are given access to the Key Vault only for operational continuity. All access requests to the Key Vault are monitored and alerts are generated in the case of anomalous access behaviors.

Zero-Trust

When Finastra customers store their data on the FusionFabric.cloudplatform and want to share the data sets with consumers (e.g. fintech companies) via Data Share, the sensitive fields in the data set are encrypted using Zero-trust encryption technology implemented by the FusionFabric.cloud platform. The zero-trust encryption implementation uses the standard AES-256 encryption with the GCM mode of operation.

FusionFabric.cloud platform facilitates key exchange between the customer and the consumer in a way that does not allow any component of FusionFabric.cloud or any individual in Finastra to be able to derive the decryption keys. This essentially guarantees both the customers and the consumers that when using Data Share, they do not need to trust any component of FusionFabric.cloud or any individual in Finastra.

Note that zero-trust encryption is implemented at the field-level and each field in a dataset is encrypted using an independent key. Since the fields are encrypted using different keys, the customers can give consent and exchange field-specific keys without sacrificing the security of the fields for which consent has not been given to. We also support key rotation and versioning as part of the zero-trust encryption implementation.

Consent

FusionFabric.cloud customers can consume FusionStore applications provided by third party developers. Any testing prior to a purchase or prior to production is normally done by using dummy data. Before we enable the exchange of data from a customer and a third party app, we will always ask our customers to confirm that they wish to proceed.