1. Administration and security
  2. Bring Your Own Key
  3. Why BYOK is Secure

BYOK includes a number of security features:

Security Feature Description

Encryption assurance

Our encryption infrastructure includes a key manager appliance certified to FIPS 140-2 Level 3. An embedded Hardware Security Module (HSM) provides the Roots of Trust (RoT). All data is encrypted using the AES (256-bit) algorithm.

Encryption Infrastructure

You can use our encryption infrastructure to manage an encryption key lifecycle for your assets. It provides data confidentiality and protection of keying material that satisfies the NIST SP 800-175B specification. If you prefer, you can upload compatible keys generated from an external crypto management application.

Data encryption and access control

Data encryption and access control is achieved through a kernel file protection driver installed on the application server.

Separation of duties

BYOK supports a strong separation of duties policy. Key management is the sole responsibility of the Encryption Administrator and separated from other administrative roles at the tenant and workspace levels. With BYOK, no single administrator has complete control over data protection activities.

Customer controlled encryption and key management

You control your keys and the associated key lifecycle directly in Anaplan Administration. No Anaplan employees, or non-Encryption Administrators within your organization, have access to your keys and encrypted model data.

Transparent encryption

While protecting all of the data in an encrypted model, the data encryption isn't visible by end users. This reduces complexity and cost.

Geo-legal sensitivity

BYOK enables you to store your keys and encrypted data in line with your specific geo-legal requirements. This is subject to approval.

Compliance reporting

Compliance reporting provides detail on encryption, key management, and access policy actions, by user and time. The log records every user and process that attempts to access the encryption protection data, whether successful or not.