Encryption (Infrastructure)
Converting data into a coded format readable only by authorised parties with the decryption key, protecting confidentiality at rest and in transit across cloud infrastructure.
In-Depth Explanation
Encryption transforms readable data into an unreadable format using mathematical algorithms and keys. Only parties with the correct decryption key can convert it back.
Encryption types:
- Symmetric (AES-256): Same key for encryption/decryption. Fast, used for data at rest
- Asymmetric (RSA, ECDSA): Different keys for encryption/decryption. Used for key exchange and signatures
- Hashing (SHA-256, bcrypt): One-way transformation for passwords and integrity
Cloud encryption layers:
- At rest: Data encrypted on disk (databases, files, backups)
- In transit: Data encrypted during transmission (TLS/HTTPS)
- In use: Data encrypted during processing (emerging technology)
- Client-side: Encrypted before sending to cloud
- Server-side: Cloud encrypts on receipt
Key management models:
- Cloud-managed: Simplest option, provider manages keys
- Customer-managed (CMK): You control keys via cloud KMS
- Customer-supplied: You provide keys per operation (most control)
- HSM-backed: Dedicated hardware for key operations
Best practices:
- Use AES-256 for data at rest
- Use TLS 1.3 for data in transit
- Rotate keys regularly
- Separate keys by data classification
- Never store keys with encrypted data
- Implement proper key management lifecycle
Business Context
Encryption protects sensitive data, maintains customer trust, and ensures compliance with Australian Privacy Act requirements and industry regulations.
How Clever Ops Uses This
Clever Ops implements encryption strategies for Australian businesses, ensuring data protection at rest and in transit through cloud key management services.
Example Use Case
"A healthcare platform implements AES-256 for patient data at rest, TLS 1.3 in transit, and field-level encryption for Medicare numbers, all managed through AWS KMS with customer-managed keys."