Customer-Managed Encryption-Keys

Peace of mind, for the security-minded.

What is CMEK?

  • Smartsheet uses encryption to safeguard customer data and help customers maintain control over it.
  • Smartsheet also allows customers to use Customer Managed Encryption Keys (CMEK) to encrypt sheet data with an encryption key that is stored within Amazon Web Services’ Key Management Service (KMS).
  • This encryption key is owned and managed by the customer within AWS, thereby allowing the customer to control access to their data.
Customer-Managed Encryption-Keys

Why Was CMEK Released?

Customer-managed encryption-keys (CMEKs) are intended for organizations that have sensitive or regulated data that requires them to manage their own encryption key. CMEKs allow enterprise organizations to use cloud SaaS applications while maintaining data control comparable to that of an on-premises installation. CMEKs add a customer-managed layer of encryption to Smartsheet’s data storage to support advanced data security and governance policies.

Smartsheet uses CMEKs to encrypt the organization’s data such that it remains under the control of the organization at all times. Specifically, Smartsheet does not store or control these encryption keys and Smartsheet must request and retrieve such keys from the customer’s AWS Key Management Service (KMS) whenever Smartsheet needs to access the sheet data.

As the organization controls the CMEK stored in AWS Key Management System (KMS), they can revoke Smartsheet access to the CMEK and, thereby, access to their data at any time. By destroying the master keys in the AWS Key Management System (KMS), the organization can effectively delete their data from Smartsheet systems. A malicious party with a copy of Smartsheet’s database, source code, and cloud encryption keys could still not read any of the data encrypted with CMEK.

What does CMEK solve?

  • Pain point: Organizations in highly regulated industries have had issues using Smartsheet for projects involving sensitive data, as the need for their own encryption key is a necessary part of their compliance requirements.
  • Solution: Now, organizations with the highest security requirements will be able to use Smartsheet for their sensitive data. CMEK will meet their organization’s security compliance requirements, and put the customer completely in control of managing their own key.

How does CMEK work?

There is no difference between the end user experience for a customer who does not have CMEK versus a customer who has activated CMEK. CMEK encryption and setup is done on the backend database layer. The customer sets up their AWS KMS account, creates an encryption key with specific policies granting Smartsheet access to the key and provides the ARN for the key to Smartsheet. Smartsheet uses the key to encrypt the customer’s data and monitors that we have continuous access to the key for encrypting and decrypting the data. Since the data encryption and encryption is on the backend database layer.

What does the activation process consist of?

  1. When a customer on the Platinum Advance SKU wants to activate CMEK, the Smartsheet team will add a new entry to our CMEK Customer Onboarding Sheet.
  2. Smartsheet’s Customer Onboarding team will send a request to the customer for obtaining the ARN and AWS admin contact information and update the CMEK Customer Onboarding Sheet with this information.
    • Smartsheet will provide the customer with an AWS Cloud Formation Script and indicate that the customer needs to run it with their AWS account ID. The running of the cloud Formation Script will generate an AWS KMS ARN.
    • Smartsheet will send an update request to the customer for the AWS KMS ARN and AWS admin contact information.
    • Smartsheet will update the CMEK Customer Onboarding Sheet with information from above.
  3. Smartsheet’s Customer Onboarding team will communicate internally indicating that a new CMEK customer needs to be enabled.
  4. Smartsheet’s Grid Storage Team will create the new database instance and the Engineering DBA will update the CMEK Customer Onboarding sheet to indicate the completion of the new instance setting (this would look like: CMEK-Created = TRUE.)
  5. Once CMEK-Created is set to TRUE, using Smartsheet automation, we will notify our teams that we are ready to proceed.
  6. Once our teams are notified, the Fulfillment team will set the feature flag in our internal activation system.
  7. The Fulfillment Team will send a fulfillment email, once an order which contains CMEK has been activated, to the customer contact on record updating them that CMEK has been activated.

What do customers need to know about CMEK?

  1. CMEK users will need to have AWS KMS access and related governance policies setup to manage their encryption keys
  2. CMEK users will need to give Smartsheet access to the encryption key via an Amazon Resource Name (ARN)
  3. The encryption key will need to be set up to give Smartsheet specific policies to access the key.
  4. Smartsheet can provide a cloud formation script which will make it easier to set up the key.
  5. CMEK activation can take 2-4 weeks due to timelines on both the customer side and Smartsheet side.
  6. Only sheet data is encrypted with CMEK, other data such as attachments, reports, dashboards, WorkApps, etc. are encrypted with Smartsheet's current encryption.
  7. Existing data customers may have with Smartsheet will be migrated over time to CMEK encryption.
  8. CMEK is reserved for the Platinum Advance Tier.