Information Security in the Automotive Industry: Boxcryptor and the TISAX Certification
In 2017, the German automotive industry defined the TISAX (Trusted Information Security Assessment Exchange), a certification procedure for data protection. It was established for the members of the automotive industry and its suppliers. TISAX is based on the VDA ISA (“Information Security Assessment”) and serves as an industry-wide security standard and a uniform basis for auditing.
TISAX can be divided into four areas:
- Information Security
- Connection to third parties
- Prototype protection
In this article, we will give you an overview of how the use of Boxcryptor can help you to make your company TISAX compliant when it comes to information security and data protection.
Table of Contents
- Information Security
- Technical and Organizational Measures (TOM)
Globalization, international networking, and cloud applications — advances that often make our lives easier also entail many risks. For example, companies and institutions are repeatedly victims of hacker attacks in which sensitive data falls into the hands of unauthorized individuals. For this reason, TISAX also considers data security to be an important issue and makes information security a key component of the certification. How companies want to meet the requirements of TISAX must be considered before the initial audit, possibly also during the action plan or at the latest before the follow-up audit.
The cloud encryption solution Boxcryptor is a suitable technical and organizational solution to make your company TISAX compliant. Especially in the area of information security we can help you in many ways.
Cryptographic Procedures With Boxcryptor
Among other things, TISAX demands an inspection whether the used cryptographic procedure offers sufficient protection for sensitive data. Our answer: Yes, Boxcryptor encrypts your data using a combination of the AES-256 encryption standard (one of the most widely used and secure encryption standards) and RSA-4096 encryption.
These are encryption standards that cannot be cracked with the currently available computing power. For example, it would take longer to crack a 128-bit AES key with a modern supercomputer than the assumed age of the universe. To date, no successful attack is known for any of the AES variants. Thus, the cryptographic method used by Boxcryptor meets the requirements of TISAX.
Boxcryptor is a SaaS encryption solution specialized for cloud storage like OneDrive, Dropbox, or Microsoft Teams. However, our software can also be used to encrypt classic file storage such as network drives, USB mass storage or file servers. In case of a possible cyber-attack on a storage device that you protect with Boxcryptor, only the encrypted data can be stolen. These are useless for the attackers because they cannot read the information contained in them.
We guarantee this protection, even if an employee forgets the password or leaves the company.
The Boxcryptor administrator has access to the company key/master key. With it, he or she has full control over all the company data. You can use the master key to access all files created by employees of your company without having to know the respective passwords. With the Master Key activated, you can still access the data if someone forgets his or her password or leaves the company. In the latest case, you also have the possibility to deactivate or delete the user account.
Handling Cryptographic Keys
Within the framework of TISAX, a usage concept for cryptography is also required. This includes the aspect of the procedure for the complete life cycle of cryptographic keys. For Boxcryptor the procedure is as follows:
Generation of keys: First the file is encrypted by an AES algorithm. The resulting AES key is then attached to the file which in turn is encrypted with an RSA public key. To decrypt these encrypted keys, the private key is required. Each user receives his or her own key when the user account is set up, which is then attached to the file (using access permission).
Saving the keys: The keys of the Boxcryptor users are stored encrypted on our servers. They are secured with the personal password which we do not know, do not store, and never send to our servers. Thus, we take over the storing for you, but never have the possibility to view your unencrypted keys which enables us to keep our zero knowledge promise.
With Single Sign-on, which we offer our customers with Boxcryptor Enterprise licenses, the keys are managed by your company via a Key Management Service (KMS). Boxcryptor supports on-premises and cloud solutions.
Archiving the keys: By exporting the keys you can archive them in your IT system.
Retrieval of keys: The keys are automatically retrieved by our software.
Distribution of the keys: Automatic keys are assigned to each user, group, and document.
Deactivation of the keys: The keys are not deactivated by Boxcryptor or the Secomba GmbH. However, user accounts can be deactivated by the administrator. In this case, the private keys are automatically deactivated. If you reactivate the user account at a later date, the keys will be reactivated as well.
Renewing keys: Keys can be renewed by changing the password of the user account. A new key pair will be created in this process.
Deleting keys: Neither Boxcryptor nor the Secomba GmbH itself deletes keys. However, the administrator can delete private keys by removing the user account.
Security in Exceptional Situations
TISAX provides for the following exceptional situations: Natural disasters, physical attacks, accidents, and cyber-attacks. In the worst case, unauthorized third parties may get access to sensitive information. With Boxcryptor, damages like this can be minimized.
Boxcryptor encrypts your documents on the device before they are uploaded in the cloud. Our end-to-end encryption with zero knowledge standard ensures that no unauthorized individuals have access to your data. This applies not only to potential attackers, but also to the cloud provider, unauthorized employees of your company, and to us as the provider of the encryption solution.
For this reason, no controller-to-controller contract with the Secomba GmbH is necessary. The only personal data collected by us are the first name, last name, and e-mail address. Therefore, in accordance with the GDPR for example, no order data processing contract is necessary with the Secomba GmbH.
According to TISAX, a backup should be created for exceptional situations. A recovery of the encrypted data is still possible, even if the Boxcryptor Server is no longer available or the Secomba GmbH no longer exists. In this case Boxcryptor offers the possibility to export the user keys. If the administrator keys are exported, the company key/master key will be as well. With the master key it is possible to decrypt all data of your company — even without the connection to the Boxcryptor server.
In concrete terms, the following components are necessary for this:
- (Encrypted) physical data
- Boxcryptor Client
- Exported user keys of the admin
- Password of the Boxcryptor admin user account
- Password of the company key/master key of the admin
Additionally, the Secomba GmbH provides a Single File Decryptor on Github, which enables the decoding of files encrypted with Boxcryptor with freely available source codes, even without a native Boxcryptor Client.
Assign and Manage Access Permissions
To pass the TISAX audit, it is important that only authorized users have access to the company's data and that you can assign access rights to the user accounts. With Boxcryptor you can easily manage these accounts of individual employees yourself. Each employee gets his or her own user account, which is assigned to him or her personally. With it he or she has access to various company data.
An example: The marketing department can view and edit their files, but has no access to the data of the human resources department and the employees of the human resources department have no access to the data of the management, unless the access has been explicitly assigned to them.
Securing User Access to IT Network Services
TISAX requires strong authentication when privileged user accounts are logged in. This requirement is met by two-factor authentication, which can also be set up on Boxcryptor. The users confirm their identity each time they log in on a second device, for example, a smartphone.
Protection of Files During Data in transit
When files are transferred over a public or private network, the information can be read and modified by third parties if the protection is inadequate. Boxcryptor encrypts your data on your device before they are synchronized with the cloud. Even when downloading files from the cloud, the data is only decrypted on your device. Therefore, no unauthorized third parties can view or edit the contents of your data.
Protection of Personal Data
TISAX explicitly lists personal data as particularly sensitive. Therefore, they require high protection. Like all data that are encrypted in the cloud with Boxcryptor, personal data is also comprehensively protected.
Technical and Organizational Measures (TOM)
The section “Data protection” is mainly based on the basic data protection regulation of the European Union. [Please also read our blog article on this topic] (/blog/post/how-boxcryptor-can-help-you-with-the-gdpr/).
Requirements of TISAX include the implementation of appropriate security measures to minimize unauthorized access to personal data. The GDPR provides for so-called TOMs for this purpose.
Only a measure “that render the personal data unintelligible to any person who is not authorized to access it” qualifies as a TOM (GDPR, Art. 34, p.53).
This means that as soon as you can ensure that unauthorized third parties never have access to your data, they are adequately protected. This applies even if, in the worst case, unauthorized access to your data has been made.
As you already know, this is exactly what we are specialized in: No one but authorized company employees have access to the sensitive data because it is encrypted before it is synchronized with the cloud. With the implementation of Boxcryptor, you can therefore ensure that the processing of personal data is compliant with the rules and that internal processes and workflows are carried out in accordance with the currently valid data protection regulations.
Boxcryptor is a suitable technical and organizational solution to make your company TISAX compliant. With our strong end-to-end encryption for your data, you not only come a step closer to receiving the information security and data protection label, but also protect your sensitive data even in the event of a cyber-attack.
Boxcryptor works according to the zero knowledge principle. We only collect the data necessary to create an account, such as name, and e-mail address. We have no access to the content of the files encrypted with Boxcryptor. Read more in our article Zero Knowledge Cloud: How to Keep Your Data Safe and Private.
In order to use Boxcryptor in your company, you do not need to sign a controller-to-controller contract or a contract for data processing with the Secomba GmbH. We are happy to support you in setting up Boxcryptor in your company.