Custom and Client-Side Encryption
Guidewire enforces a secure, reliable, and compliant encryption posture across the Guidewire Cloud Platform (GWCP). This includes a strict prohibition on custom and client-side encryption mechanisms. Customers must use only vetted, platform-approved encryption libraries and protocols to ensure interoperability, maintainability, and protection against evolving threats.
Why Custom Encryption Is Prohibited
Custom encryption solutions pose significant risks:
- Lack of Cryptanalysis – Custom algorithms lack the rigorous peer review and testing applied to industry standards like AES and RSA.
- Poor Key Management – Non-standard implementations often mishandle key generation, storage, and rotation.
- Implementation Errors – Even standard algorithms can be implemented incorrectly, leading to weak protection.
- Reduced Interoperability – Custom solutions may be incompatible with compliance frameworks, APIs, or third-party systems.
- Maintenance Challenges – Keeping up with emerging threats is difficult without centralized, vetted libraries.
Custom encryption introduces avoidable risk. GWCP ensures platform-wide consistency and security by disallowing such implementations.
What About Using Standard Algorithms in Custom Code?
| Risk | Description |
|---|---|
| No Peer Review | Implementation may include hidden flaws undetectable without expert analysis. |
| Weak Key Handling | Without centralized key management, keys can be leaked, reused, or improperly stored. |
| Vulnerability to Known Attacks | Brute force, padding, and side-channel attacks often exploit poor implementations. |
| Incompatibility | Custom schemes break integrations and complicate upgrades or audits. |
| False Confidence | Developers may assume security based on algorithm choice alone, not implementation quality. |
Integration Guidance: Approved Alternatives
For secure data exchange between systems, use:
TLS 1.2+ with Mutual TLS (mTLS) – Ensures end-to-end encryption with strong identity verification.
API Gateways – Leverage Guidewire or enterprise-managed API gateways to enforce encryption, authentication, and access policies uniformly.
Centralized Integration Platforms – Use platforms that offer standardized security management and compliance enforcement across services.
These approaches reduce the risk of misconfiguration and ensure long-term maintainability.
Additional Resources
To further strengthen your understanding and implementation, these resources provide additional guidance on secure coding practices.
Guidewire:
- IS-SEC-1008-PersonallyIdentifiableInformation
- IS-SEC-1339: Custom and Client-Side Encryption
- Guidewire PCI Shared Responsibility Matrix
Additional:
- Kerckhoffs’s principle: encoding is not encryption
- NIST FIPS 197: Advanced Encryption Standard (AES)
- NIST SP 800-175B: Guideline for Using Cryptographic Standards
- NIST Journal Article: Encryption Basics
- OWASP Top 10:2021 - A02:2021 – Cryptographic Failures
- Security Through Obscurity
Was this page helpful?