Encryption Decisions for Your Technology Stack
Considering Encryption and Decryption
Unlike other security controls, encryption is one that moves through the different layers of your technology stack. Encryption is present is so many places – in transit and in storage, all the way from your operating systems to your databases and even to your customers. Plus, when configuring encryption, you must consider at what point decryption will occur.
In this demo, we will highlight the complex decisions that need to be considered when applying encryption throughout your technology stack.
Encryption is unique amongst most of the other technical security controls in that it provides encryption as data transcends layers in our technology stack. Moving through hypervisors and operating systems, up through databases, message queues, and even applications in transit to our customers, right? As an example, when a customer is interacting with our website, we will set up a TLS tunnel. The customers’ data will encrypt here and it will decrypt here. On the way back out, it will encrypt here and it will decrypt there. While it’s in transit over whatever those networks may be – the internet, mobile networks, whatever – that session is protected.
Likewise, we may choose to encrypt our data here in our application when we’re talking about encryption in storage. In which case, it will now be encrypted all the way through our databases, down through our operating systems, and even into the facilities – the Amazon data centers, the other facilities where those are at, even through our storage area networks or whatever that storage is represented as.
If we choose to encrypt our data here in the database, it will also be encrypted on its way back down, all the way until it comes back up on return to the application. Same thing, we may choose to do full disk encryption through BitLocker or through locks, for instance, on a Linux server. Our virtualization on the structure may also do some of that, here, as well. So, it may happen here in our virtual machines or in our hypervisors and even our storage devices, right?
Encryption, again, is unique because of the envelope of protection that it provides. The data is protected, in whatever the parameters are of the encryption technologies that we’re using, from the point that it is encrypted until it’s decrypted. That’s an important consideration, especially as we talk about encryption in S3, encryption in Amazon Elastic Block Store, and encryption of our hard drive images using built-in operating system capabilities.