By Outside the Stacks, Inc

Topology at Current Large Enterprise Data Center

In a current large enterprise (private, managed network), there are many TLS clients and servers.  But, also many other tiers on the path which also participate to make the business transaction actually do its work!

Use MTNV EncryptionAsAService for TLS session

Our products provide Encryption as a Service!   We handle setting up the TLS session for you.   We create a secure messaging group for all your network devices.  Think of it as all the network devices in a complex, dynamic path joining a WhatsApp group!

Form Messaging Group / Get Keys

The EncryptionAsAService product gets a portion of the key and sends it off to the Diagnostic Controller.  The keys for the TLS session are not known to any devices on the messaging group other than the TLS client and server.   

Store Key Information Securely in an HSM

The Diagnostic Controller saves a portion of the key in a Hardware Security Module (HSM).  The Diagnostic Controller is not a part of the messaging group.  It does not have the entire key until the next step when it reconstructs the TLS session key.   

When the TLS session key is needed ...

The Diagnostic Controller reconstructs the keys when it is appropriate and gives them to the authorized device or diagnostician. 

Because the Diagnostic Controller is not a part of the messaging group, no one can send potentially fraudulent messages on the TLS session itself.   No other device (other than the TLS client and server) knows the keys during the session itself.   If the enterprise authorizes the use after-the-fact, then the keys are securely available.  In the next version, there will be an API to provide keys in real-time to authorized monitoring devices.   We follow the NIST guidelines  best practices for the management of cryptographic keying material.