File encryption overview
MiaRec provides rock-solid audio encryption functionality, ensuring all call recordings are securely stored. MiaRec encryption functionality helps companies confidently adhere to the highest corporate security standards and comply with legal regulations such as PCI-DSS, HIPAA, Dodd-Frank, and Sarbanes-Oxley.
Some key features of MiaRec audio file encryption:
- Asymmetric encryption, where a public key is used for encrypting and a private key is used for decrypting
- Administrator has control over who can play back (decrypt) the recordings
- In a multi-tenant mode, each tenant has it's own unique encryption key
- Encryption is applied to backup data, as well
Audio file encryption vs role-based access control
MiaRec role-based access control system provides protection of data from unauthorized access to the MiaRec web-portal. Everyone accessing the system must be an authenticated user with associated set of permissions.
Audio file encryption provides an additional layer of security over the role-based access control system in MiaRec. If encryption is enabled, then audio files are stored on a hard disk in encrypted format. This insures that even if unauthorized user gains physical access to the storage system, he/she has no ability to play back recordings because he/she doesn't have the private encryption key.
Download of encrypted recordings
When a user downloads individual call recordings through MiaRec web-portal, the file is decrypted in flight. The file is saved on the user's computer in unencrypted form.
However, when a user uses the bulk download feature and downloads multiple call recordings in ZIP archive, then the downloaded files are retrieved in encrypted form. The user cannot play back such call recordings unless he/she imports them into the MiaRec system together with private encryption key.
Encryption for backups
Use of file encryption is beneficial for backup data, as well. All recordings in backup archive can be encrypted.
Encryption in multi-tenant environment
In multi-tenant mode, each tenant has it's own encryption key. Even if an audio file from one tenant becomes available to another tenant, the latter could not play back, because the file is encrypted with a different key.
Additionally, in a multi-tenant hosted environment, MiaRec supports the following usage scenario: Tenant may provide the service provider with the public encryption key only. The tenant doesn't is not required to disclose their own private key to the service provider. This means that nobody on the service provider side - even system administrators - would be able to play back tenants' call recordings. To play back such call recordings, they should be uploaded to tenant's private network and imported into a local instance of MiaRec software.
MiaRec encrypts every call recording with asymmetric encryption. For every recording, MiaRec generates a random AES encryption key. This symmetric encryption key is then encrypted using asymmetric encryption (one key for encryption - often referred to as the "public" key - and a different key for decryption - often referred to as the "private" key).
MiaRec uses Advanced Encryption Standard (AES) for symmetric encryption (256-bit key) and the Rivest-Shamir-Adleman (RSA) public key algorithm for asymmetric encryption (2,048-bit keys).
The details and theory behind the asymmetric encryption method is beyond the scope of this article. However, a good primer is available at https://en.wikipedia.org/wiki/Public-key_cryptography. In short, a public key is used for encrypting data and private key is used for decrypting it. The public key doesn't need to be stored securely. Anyone can access the public key, but no one can use the public key to decrypt the data that the public key encrypted. The only way users can decrypt data is with the private key.
User access to encryption keys
Administrators need to grant particular users access to encryption key(s) before they can play back (decrypt) audio files. Note, the administrator may grant access only to those encryption keys which are granted to him/her. If administrator (even if he/she has role "Root administrator") has no access to the encryption key, then he/she cannot grant access to other users for the same key.
MiaRec software never stores encryption keys in the database in plain text for security reasons. Even if an unauthorized party gains access to database files, he/she could not retrieve the private keys because they are stored in encrypted format. There is no way to gain user's private key without knowing the user's password.