Why Was CMEK Released?
Customer-managed encryption-keys (CMEKs) are intended for organizations that have sensitive or regulated data that requires them to manage their own encryption key. CMEKs allow enterprise organizations to use cloud SaaS applications while maintaining data control comparable to that of an on-premises installation. CMEKs add a customer-managed layer of encryption to Smartsheet’s data storage to support advanced data security and governance policies.
Smartsheet uses CMEKs to encrypt the organization’s data such that it remains under the control of the organization at all times. Specifically, Smartsheet does not store or control these encryption keys and Smartsheet must request and retrieve such keys from the customer’s AWS Key Management Service (KMS) whenever Smartsheet needs to access the sheet data.
As the organization controls the CMEK stored in AWS Key Management System (KMS), they can revoke Smartsheet access to the CMEK and, thereby, access to their data at any time. By destroying the master keys in the AWS Key Management System (KMS), the organization can effectively delete their data from Smartsheet systems. A malicious party with a copy of Smartsheet’s database, source code, and cloud encryption keys could still not read any of the data encrypted with CMEK.