data.day
compliance / case study / encryption

The Audit That Failed Because the Vendor Could Not Prove Key Ownership

A case study on the difference between 'secure' and 'provably secure.' Learn why an audit demands evidence of key isolation.

Lars Parse Lars Parse

Trust Is Not a Control

In my line of work, we distinguish between “Compliance” and “Security.” Compliance is checking a box. Security is the reality of the physics. However, in a rigorous audit, the two converge. The auditor requires proof that the physics match the policy.

The firm in question—let us call them “Firm A”—stored client contracts in a “Secure Vault” provided by a well-known SaaS vendor. The vendor boasted “AES-256 Encryption.” Firm A felt safe.

The client, a large financial institution, sent an auditor. The auditor did not care about the encryption algorithm. The auditor cared about the Key Management Strategy.

The Risk: The Custodial Key.

The auditor asked: “Who generates the encryption key?” Firm A replied: “The vendor handles that for us automatically.”

The auditor wrote down: Risk High.

The auditor asked: “Who manages the rotation of the key?” Firm A replied: “The vendor rotates it every 90 days.”

The auditor wrote down: Control Failure.

Why? Because if the vendor generates the key, and the vendor rotates the key, then the vendor owns the key. Therefore, the vendor has continuous access to the data.

Firm A argued that the vendor had a strict policy against looking at data. The auditor replied: “I cannot audit a policy. I can only audit a constraint.”

Because Firm A could not prove that the vendor was technically incapable of access, the financial institution pulled the contract. Firm A lost a six-figure retainer because they bought a tool that was “easy” instead of a tool that was “sovereign.”

The Defense: The Non-Custodial Evidence.

To pass this audit, you must be able to demonstrate Segregation of Duties.

  1. The Vendor provides the storage (the walls).
  2. The Client (You) provides the encryption (the lock).

When an auditor asks, “Who holds the key?”, the only passing answer is: “We do. It is generated on our hardware. It never leaves our perimeter.”

You must provide evidence. This takes the form of:

  • The Architecture Diagram: Showing that encryption occurs on the client device before the upload begins.
  • The Recovery Protocol: A document stating that if the client loses the key, the data is unrecoverable. (Ironically, the inability to recover data is the strongest proof of security).

Do not wait for the auditor to ask. Interrogate your vendors now. Ask them: “If I demand a technical guarantee that you cannot decrypt my data, what documentation can you provide?”

If they hand you a marketing brochure, find a new vendor. The Machine demands proof.

FAQs

Why does the auditor care who holds the key?

Because if the vendor holds the key, the vendor's employees are potential insiders. The auditor wants to know that a rogue sysadmin cannot read the files.

What evidence is acceptable?

A technical whitepaper is not enough. You need a 'Key Ceremony' log or an architecture diagram showing Client-Side Encryption.

Is this only for big law firms?

No. Any business holding PII (Personally Identifiable Information) or health data faces this standard.