XQ Automated Key Management Use Cases

Written By Brian Wane
XQ Automated Key Management Use Cases

Fundamentally, XQ is the basis for building a data security practice that complements existing network-based approaches.

XQ acts as an automated external key management system, creating a data leash for every data object. XQ can be deployed on-prem, hybrid, in the cloud, or as SaaS.

Protect against advanced threats while maintaining Data Access Governance (DAG) with XQ’s Sensitive Data Discovery & Traceability.

XQ is a Zero Trust Data Zero Trust Security platform that automates data object level protection and enforces policies and chain of custody beyond the boundary of a single environment.

XQ automates external key storage, making applying attribute and role-based access at the data object level on existing infrastructure easy.

Unlike other security and compliance tools, XQ never has your data.

By separating storage from data access, XQ offers external security controls for your data across all platforms, eliminating any gaps in data governance.


Use Cases

Below are some everyday use cases for XQ

  1. Compliance: Built on the NIST standard, XQ automates many compliance aspects in retail and pharmaceutical industries. The regulatory mandates XQ helps with include aspects of CCPA, CMMC, GDPR, HIPAA, FINMA, FINRA, etc. 

  2. Data Classification and Access Enforcement: Organizations have an impossible task of understanding what data they have and enforcing who should have access to it across environments. XQ solves this problem through automated classification and access control at the record level.

  3. Ransomware extortion & Insider threat: XQ’s data leash allows organizations to stop lateral movement and turn their exfiltrated data into digital dust.

  4. Data Localization: XQ restricts access to data based on geographic location, ensuring organizations meet regulatory requirements like GDPR without complex infrastructure, even when using commercial cloud storage.

  5. Right to be Forgotten: XQ automates the deletion of user-specific data across the enterprise, providing proof of erasure without needing manual, costly intervention, especially on backups.

  6. Secure Collaboration with Partners: XQ allows organizations to share sensitive data with partners securely while retaining complete control. If a partner is breached or the partnership ends, access to the shared information can be instantly revoked, ensuring continued data protection.

  7. Secure Cloud Migration: XQ provides forensic-level logs to ensure data integrity during migration, verifying that data is not altered, copied, or exfiltrated. This is essential for public safety and healthcare clients requiring a verified chain of custody for legal purposes.

  8. Zero Trust Data Unifies Security Across Environments

    Self-protecting data from your desktop to the cloud automatically stops cyber attacks and provides compliance.

  9. DoD Level Zero Trust Data Compliance

    XQ has been selected as a cloud solution provider for Zero Trust Data by the US Department of Defense to fulfill Zero Trust Data Security requirements for DoD agencies. 

  10. Data Access Governance (DAG)

    Protect intellectual property with real-time data governance; you can now control access to your data anywhere at any time, applying role-based security and attribute-based data loss prevention policies at the data record level.

  11. Sensitive Data Discovery & Traceability

    Secure chain of custody monitors each unit so you can monitor and control the movement and sharing of your data, ensuring full compliance and reducing risk across environments.

  12. Compliance DRM 

    XQ data rights management (DRM) applies continuous monitoring and detection policies and procedures that are designed to prevent, detect, and respond to cybersecurity threats.

The value of XQ does not solely lie in the unique approach to generating and managing keys but also in enabling organizations to classify, monitor, and control record-level access and policies wherever data is stored, shared, or even stolen. 

Automated Key Management

XQ’s unique ability to manage record-level data access results from a proprietary key management technology. In addition to the key management solution, XQ generates policies to enforce data access and immutable logs for security operations automation and investigation.

So, XQ generates, stores, and manages all of the keys for clients, removing this obligation and costs from their DevOps teams. The keys can be applied to single or many data objects, providing control over granularity.

XQ key creation always happens at the edge—wherever the data is encrypted. Solutions that do end-to-end encryption rely on centralized fundamental creation mechanisms, which are expensive and latent. To meet these challenges, XQ includes a Quantum service that delivers entropy derived from a quantum source to the edge used for seeding keys. q

XQ does not use third-party software for key management, the platform is a proprietary solution. We rely on vetted third parties for encryption libraries—e.g., OpenSSL, as XQ is fully crypto-agile. This enables our partners to integrate whatever cryptography the client requires. 


How does XQ Scale? 

XQ is fundamentally a distributed platform similar to blockchain, where XQ’s SaaS represents a portion of the available nodes. This distributed architecture facilitates internet-scale functionality.

Creating keys at the edge dramatically reduces the load (and cost) that many customers experience when using cloud-based HSMs. This load distribution allows XQ to scale without being a bottleneck that typically increases latency.

Our SaaS solution is capable of multi-region auto-scaling groups, so if heavier than usual loads are detected, the XQ backend infrastructure will auto-deploy more AWS infrastructure to support the load. 

The XQ API, in its current configuration, can handle more than 4M API calls per second. In practice, even large-scale implementations of XQ have not impacted latency. 

For example, one of XQ’s structured data customers peaked at about 1 million API calls per second, resulting in over 100k keys stored in 10 seconds. This did not trigger the auto-scale group. the platform handled the load without issue and had no material impact on latency.

XQ charges integration customers on a usage basis: API calls (non-recurring) and stored keys (recurring monthly). The costs scale down with volume. This linear model enables customers to project and forecast expenses and their business growth. 

API calls and Keys are priced at $.001/key/month, and $.001/API call, and prices scale downwards based on consumption. 

XQ has SDKs that perform all of these functions for applications at the edge. 

For example https://github.com/XQ-Message-Inc/csdk-core 

Pains XQ Solves

Sharing Sensitive Data 

The Royal Mint: Customers were abandoning the KYC process and source of the wealth validation process required to onboard new accounts or process investment transactions with The Royal Mint.

These customers abandoned these processes because they felt uncomfortable uploading Passports, Financial information, and personal residential and work histories through the Royal Mint's existing portal.

The customers were concerned that their sensitive data would be at risk of being breached or sold to third parties.

The XQ solution was to build an integration with the TRM website that encrypted the data on the user’s device before sending it to TRM. The solution allowed the user to track their submission, including where that submission was accessed,  ensure no 3rd party data access, and enable the customer to revoke access to data like passport photos or bank statements once the business process requiring customer information was completed.

This resulted in a 300% increase in KYC process completion, significant increases in new customers, and high-value transactions.  

This use case generalizes to any web-based intake form that gathers sensitive information. Companies ingesting sensitive information from customers and partners would all benefit from this integration of XQ.


Secure, Auditable Cloud Migration Kelby Must edit

Customers who handle regulated data (healthcare, legal, finance, PII) must maintain a chain of custody of the data from origin to destination. Most data transfer solutions secure data in flight but do not preserve record-level logs sufficient for demonstrating a chain of custody, making customers out of compliance. 

XQ’s immutable audit logs track all data encrypted from XQ, including the who, when, and where data decryption was attempted, whether successful or not, keeping these customers in compliance. They are preventing Man in the Middle Attacks. 

XQ customers, including law firms, hospitals, forensic accountants, etc., benefit from this use case.


3rd Party Data Access 

Customers are often concerned about cloud data storage because of the risk of 3rd party data access by former partners, collaborators, cloud administrators, or even bad actors. Because XQ uniquely secures individual records and maintains control at the record level wherever data is shared, stored, or even stolen, access can be controlled remotely. 

This control enables customers to store data in cloud environments without the risk of 3rd parties accessing their data. The XQ-secured data remains protected even if a cloud storage environment is compromised. Additionally, this solution protects against lateral movement and enables organizations to revoke access to their cloud-stored data, even if exfiltrated, eliminating the risk of continuous extortion.

XQ customers using our cloud storage integration (Vault) include defense vendors, multinational organizations, and advanced manufacturing. 


Insider Threat and Data Exfiltration

A large electronics manufacturer feared ransomware extortion and data exfiltration from insider threats to its customers’ Personally-Identifying Information (PII) stored in the cloud.

Hurdles included the absence of accessible, user-friendly, and cost-effective solutions for compliant PII storage on their infrastructure. Moreover, entrusting their valuable data to third-party storage providers was fraught with risks and significant costs. 

Through seamless integration with XQ's API and leveraging AWS DynamoDB as their commercial cloud storage, they've optimized user ad experiences and fortified the privacy and compliance of personally identifiable information (PII).

This strategic shift reduces the ransomware double extortion and token access risks associated with external entities and underscores their commitment to safeguarding customer data.


Example: Consumer Electronics Manufacturer 

Problem: Collecting PII and storing it in the cloud. They were concerned about data vulnerability. They also collected usage information stored on their back end. That data is their bread and butter. They needed a way to store the data securely and ensure that their data wasn't compromised because if it was accessible, they lose their revenue stream. 


Solution: XQ encrypts the PII of customer intake (500K) (first name, last name, address, etc.). Data is encrypted on the client's side within their form intake. When television is sent to the customer, the client watches, and the telly tracks what is watched, etc., on the client side before being sent to the backend; XQ is integrated to securely transfer data from the edge to the backend database. When data is stored in DynamoDB, every entry is secured. 

This solution applies to any company that relies on data as a revenue source. XQs ability to secure data intake and unique cells within databases protects organizations from insider threats, bad actors, and continuous extortion, ultimately protecting revenue. 


Example: AI IoT Security

Various manufacturers produce IoT devices, each implementing different security protocols. XQ enables organizations to encrypt the data generated by IoT devices from the edge to the cloud. IoT devices frequently act as entry points for hackers, presenting severe risks to organizations.

XQ’s gateway mitigates this threat by reducing the attack surface and ensuring that the traffic ingested is secured and originates from a verified endpoint.

An example of how XQ helped secure IoT devices is with Phoenix Systems, A large PLC manufacturer that wanted to collaborate with a notable IoT AI insights platform. Challenges included securing, classifying, and transmitting data from a mesh of IoT hubs.

The objectives were to prove compliance in the future and bring down maintenance and licensing costs for their industry, targeting SCADA system owners. The AI company also wanted to differentiate itself from competitors by proving the provenance of its data to ensure more accurate insights and protect against data poisoning as data traveled from the sensor to the cloud.

XQ is integrated into the PLC to secure all data from the edge to the AI insights database. This integration improved data security and enabled chain-of-custody insights that historically were unavailable. Additionally, the XQ integration reduced the overall costs of data ingestion by eliminating the need for additional network security solutions, as self-protected data can traverse unprotected networks while maintaining security. 

This applies to any organization that uses IoT sensors for analytics and business processes, ensuring data provenance, eliminating the risk of data poisoning, and protecting against man-in-the-middle attacks. Ultimately, securing IoT data reduces the risk of operational downtime for IoT-enabled organizations. 


Broader Use Cases

XQ Turnkey Products 

  • XQ Email: Secures emails across all email providers and within the recipient mailbox 

    • Benefit: Revoke access to sensitive emails and files after email and attachments are shared externally. Identify man-in-the-middle attacks. Prevent sensitive data breaches if the email exchange server is compromised. 

  • XQ Vault: Secures all Files from the edge and within the cloud 

    • Benefit: Protect against advanced threats while maintaining Data Access Governance (DAG) with XQ’s sensitive data discovery & traceability.

  • XQ Transfer Gateway: Secure Multi/Hybrid cloud and secure site-to-site data transfer.

  • XQ Database: Secures individual database entries 

  • XQ API: XQ Email, Vault, Gateway, and Database products are all integrations of the XQ APIs—they all use the XQ SDKs to function. 


Integrations

The broader value of XQ is in its integration into third-party tools and solutions. 

The XQ platform and APIs were built initially to support application integration. Each of the independent XQ products (email, Vault, Gateway, etc) is an integration of the Zero Trust Data Protection platform into those products. 

Integrating XQ into a product is a light effort using one of the XQ SDKS (C, Javascript, Python, PHP, Java). It will immediately turn an off-the-shelf application into a Zero Trust Data Protection application. This increase in application security is vital for meeting application compliance requirements and being approved by enterprise AppSec teams, a critical part of the procurement process. 

In addition to the Zero Trust Data Protection enhancement applications get with an integration, these apps also get the ability to use XQ policies to control data access, enabling apps to meet the increasing data localization laws that are rapidly coming into effect. 

  • Data Warehousing Platforms: XQ has developed an integration with Snowflake that can uniquely secure and apply RBAC & ABAC policies to every database entry. This integration would have prevented the recent Ticketmaster breach by separating application and data access. Additionally, customers benefit from data warehousing.

  • Hybrid or Multi-Cloud Security - Most organizations today have complex IT infrastructures and compliance burdens that have led them to hybrid and multi-cloud infrastructure setups.

    These Hybrid and Multi-Cloud architectures result in databases, applications, systems, and files being stored across on-prem and multi-cloud environments, whereby the traditional focus of perimeter-based security no longer protects all enterprise data.

    XQ enables organizations to apply standardized protection and control at the record level across applications running on various platforms, ensuring data security and compliance are not compromised between multiple cloud platforms and on-premises hybrid architectures. XQ offers external security controls for data across all platforms, eliminating any gaps in data governance.


  • Secure Collaboration with Persistent Data Protection - The XQ Vault enables users to create, remotely access, and collaborate on files stored in the cloud and shared with both internal stakeholders and external partners while always maintaining control over files.

    This protects organizations from any 3rd party data access risks, eliminates the risk of data being shared externally without permission, and enables organizations to rescind data access if they are no longer working with a collaborator or if data has been compromised. The XQ vault acts as a traditional file folder system on the endpoint, secures the data at the edge, and stores the contents of the XQ folder in the cloud in an encrypted state.

    Therefore, if an endpoint is compromised or stolen, the data typically accessible within a traditional folder would be inaccessible while maintaining file integrity by retaining the encrypted documents in the cloud. With XQ, companies can collaborate with partners, sharing sensitive data without the traditional risk of trusting that those partners will keep their data safe. XQ enables self-protecting data.


Resources

  1. XQ Discovery Overview 

    XQ offers unique data-level encryption and access control, creating a "data leash" for each object

  2. AWS Zero Trust for Government Solutions Brief

    Outlines the AWS security stack built to help support Federal Agency and DoD Organizations meet the mandated Zero Trust Requirements required by EOY 2026

  3. XQ Vertical Specific Data Sheets 

Brian Wane
Previous

FISMA Compliance Controls: XQ’s Contribution
Next

Titan Zero Trust Cloud Storage Powered by XQ