XQ Server Architecture
The XQ dedicated cloud implementation requires the hosting of three essential services and one optional, depending on how HUB chooses to manage the XQ network. The three essential services are:
- Quantum server
- Subscription server
- Validation server
Each is important to the XQ security model and these three servers work in concert to ensure that only authorized devices and users can encrypt and decrypt the data within the scope of the expiration policy that is set for the data. These servers can be hosted in any cloud service or on a locally hosted server in containers either in shared or dedicated instances.
The Quantum server delivers quantum-generated entropy to the edge devices. This quantum random number can be used as a key or can be used to seed keys that are generated on the device. Using a quantum random number substantially reduces the risk of the key being broken. The subscription server stores identities for token authorization and the validation server stores keys. It is important to keep the identity and key store separate so that not even the host of the servers can match data with identity and tokens to enable decryption. This ensures that only authorized identities and devices can decrypt the data.
A further benefit of decoupling the services as XQ does and storing them in the cloud is that even in the case that a device is stolen, the data can (1) not be exfiltrated from the device alone, (2) the authorization can be revoked remotely by an authorized user, and (3) the policy can geo-restrict access to the keys, so data intercepted in flight is safe from unauthorized users.
Optionally, the cloud deployment can be managed with the XQ dashboard, which is also cloud deployable. This dashboard allows an administrator to manage identities and revoke access to data. These functions can also be done via an API.