Data Encryption

Overview

Data encryption is a necessity in today’s world. Data travels all over the internet and it’s important that data stays secure. Encryption ciphers convert data from plaintext Plain text is digital text that is unformatted, lacking any formatting. There are no embedded instructions for font styles, sizes, colors, or other formatting features. Plain text is composed solely of basic characters, including letters, numbers, punctuation, and whitespace. to ciphertext Ciphertext is encrypted text transformed from plaintext using an encryption algorithm. Ciphertext can't be read until it has been converted into plaintext (decrypted) with a key. The decryption cipher is an algorithm that transforms the ciphertext back into plaintext.. Using encryption, a phrase like “No code is the future!” might change to 21h34lk234h32o32lh23dc454tw44treg43gqg Without access to the decryption key, malicious actors can't use your data if it’s intercepted. Unqork and its third-party providers encrypt data in transit and at rest to ensure your data’s security. This article explains the types of encryption used by three third-party providers commonly used with Unqork: MongoDB Atlas, AWS (Amazon Web Services), and Azure.

Encryption Types by Third-Party Providers

Unqork builds your environment on an infrastructure provided by a CSP (Cloud Service Provider) A CSP (cloud service provider) is a company that delivers cloud computing services like storage, databases, and infrastructure to organizations over the internet, allowing users to access computing power, data storage, and applications on demand without managing their own physical hardware, typically paying only for the resources they use. That CSP is AWS or Azure. MongoDB Atlas stores your data in databases. All three vendors use TLS (Transportation Layer Security) Transport Layer Security (TLS) is a protocol that provides communication security across a network. encryption for data in transit and AES 256 What Is AES-256 Encryption? The Advanced Encryption Standard (AES) is a symmetric block cipher that the U.S. government selects to protect classified data. AES-256 encryption uses the 256-bit key length to encrypt as well as decrypt a block of messages. encryption for data at rest. The vendor holds the encryption keys or manages them with a service they provide.

Vendor Encryption Type Key Holder

MongoDB Atlas

Data in transit: Client to server TLS

Data at rest: AES 256

MongoDB Atlas

AWS

Data in transit: TLS

Data at rest: AES 256 server-side encryption

S3-Managed Keys or AWS KMS

Azure

Data in transit: TLS

Data at rest: AES 256 server-side encryption

Microsoft key store

Unqork doesn't use customer-managed keys.

Key Rotation Policies

Unqork uses fully-managed CSP (Cloud Service Provider) keys using the CSP KMS (Key Management Service) A key management service (KMS) is a system that stores, manages, and backs up cryptographic keys. KMSs are used to protect sensitive data and maintain information security.. Unqork can't access the keys. This ensures no one, including CSP employees, can access the plaintext key material. This removes the need for customers to manage their own keys for disk encryption, while providing FIPS (Federal Information Processing Standards) FIPS, or Federal Information Processing Standards, is a set of cybersecurity guidelines for the U.S. government. The National Institute of Standards and Technology (NIST) develops these standards. 140-2 validated data security.

Encryption at Rest and In Transit

The CSP A CSP (cloud service provider) is a company that delivers cloud computing services like storage, databases, and infrastructure to organizations over the internet, allowing users to access computing power, data storage, and applications on demand without managing their own physical hardware, typically paying only for the resources they use providing the service encrypts data at rest according to their protocols. By default, all new environments use TLS 1.2+ Transport Layer Security (TLS) is a protocol that provides communication security across a network. encryption for data in transit. Some older environments might use TLS 1.1+. If your environment uses TLS 1.1+ and you want to upgrade you can make that request to your Unqork representative.

Certain compliance requirements like PCI (Payment Card Industry) The Payment Card Industry (PCI) is a sector of the financial industry that deals with electronic payments. It includes organizations that process, store, and transmit cardholder data, such as credit cards, debit cards, and prepaid cards. need TLS 1.2+

Environments built on AWS use an end-to-end encryption system. AWS uses TLS 1.2+ and the encryption terminates at the application load balancer. Communication with back-end components and services re-encrypt data with TLS 1.2+. Environments created on AWS use ELBSecurityPolicy-FS-1-2-2019-06. The ciphers used depend on the policy selected. If you use a legacy system or one that requires a different protocol or cipher and you run an Unqork environment on AWS, you can request a different AWS SSL (Secure Sockets Layer) policy and/or cipher.

Data transmitted to MongoDB Atlas from your Unqork environment uses TLS 1.2+ encryption, beginning at application, going to the NAT (Network Address Translation) Network Address Translation (NAT) is a service that enables private IP networks to use the internet and cloud. NAT translates private IP addresses in an internal network to a public IP address before packets are sent to an external network. gateway, and terminating when it reaches MongoDB Atlas.

AWS and Azure SSL Policies

Resources