Enterprise Key Management (EKM)

Overview

Enterprise Key Management (EKM) is an Asana feature that allows you to encrypt your data with keys that you own. EKM affords you more control over your data by putting the keys in your hands, with visibility into how the keys are being used, all while you continue to get the most out of Asana.

Asana Enterprise Key Management integrates with your encryption keys which will be created using AWS KMS (Key Management Service). Your keys will be used to encrypt your data across Asana’s data layer: data residing in RDS (Relational Database Service), Attachments residing in S3 and Search.

How EKM Works

screengrab

EKM at Asana works by encrypting your data in all of our production datastores. At a high level, this is how EKM works:

  • You set up AWS KMS keys specific to Asana EKM in your own AWS account. These keys should ONLY be used for EKM at Asana, and not for any other purpose.
  • You grant Asana access to these keys.
  • For domain data in RDS, Asana uses these keys to encrypt your data and encrypt your database backups.
  • For your attachments stored in S3, Asana will create a new AWS account for isolation. We’ll then create an S3 bucket set up with encryption using your keys.
  • For your data residing in OpenSearch, Asana will create a new OpenSearch instance, set up with encryption using your keys.
  • Note that a small portion of user-inputted data will remain unencrypted. Currently, these exceptions are:
    • Email addresses
    • App Integration metadata

If you are interested in EKM please contact your sales representative.