Protecting data at rest in SaaS and PaaS. Encryption Basics

PaaS and SaaS persistence services store your data in their systems, often in their accounts or subscriptions.  The service provider protects the system and its associated storage. We need to determine our appetite for risk when deciding what additional work must be done to secure the externally hosted data.


Data at rest must be protected with a multi-layered approach. Identify the attacks that you wish to prevent in order to determine how much protection you want. The list below is just a sample.
  • disk re-use is hardware or technology-related. It can be mitigated without any application or user experience changes. 
  • Vendor-related access issues exist because a 3rd party is hosting the data. This includes vendor staff access and the ability to remove or render unusable your data in their ho
  • Control Plane refers to dashboards or admin screens that are vendor-provided.  Many have preview functions that let you validate the data.  The built-in user permissions may not be fine-grain enough to meet your data protection needs. 
  • Users or attackers may get access to the machine or a trusted resource and attack with those permissions. 
Drive encryption only protects your data from a few of these attacks.


Watch the video for details not yet inserted into this blog.

Databases and Storage

Secure systems often use a combination of all three.

Drive Encryption is often provided by default by cloud providers. It is mandatory. Drive loss is a primary reason for using Drive Encryption. No drive encryption means don't use. Vendors should offer to use your encryption keys wherever possible.  This lets you manage who can see the drive data and lets you terminate vendor relationships without worrying about losing control of your data. 

Field Encryption protects PII while leaving the other less confidential fields visible.  Field encryption can protect you when a bad actor steals a person's or an entire database worth the information. People or programs that directly access the drives will still not know the values in the sensitive data fields.  Fields can still be used to join across information if the same PII fields are reliably encrypted the same way.

Document Encryption is a more aggressive version of Field Encryption.  The entire document/record is encrypted as a blob.  Some of the index or synthetic key fields may be left unencrypted so that the database partition and operate in a standard fashion.  This can cause issues if the partition key contained PII.

Streaming and Messaging

Streaming and messaging systems are just persistence engines for the purposes of this discussion. Payload Encryption is conceptually the same as full document encryption Databases and Storage.

Created 9/2021


Popular posts from this blog

Understanding your WSL2 RAM and swap - Changing the default 50%-25%

Installing the RNDIS driver on Windows 11 to use USB Raspberry Pi as network attached

DNS for Azure Point to Site (P2S) VPN - getting the internal IPs