Question
Central Provident Fund Board (CPFB)
SG
Last activity: 5 Aug 2024 12:15 EDT
Application data encryption Risk
We are planning to implement an application data encryption mechanism in the Pega cloud environment. We are currently evaluating whether it is suitable to proceed with the Pega platform/KMS or to create a custom cipher. Do you have any suggestions for this?
Additionally, we are concerned that if something were to happen to the encryption key, it would not be possible to decrypt the data. Is it possible for scenarios like this to occur? Are there any other potential risks associated with this?
Thank You
Accepted Solution
Updated: 5 Aug 2024 12:15 EDT
Pegasystems Inc.
GB
Pega Platform provides robust data encryption capabilities. It is recommended to use the platform cipher with a key management service (KMS) like AWS KMS, Microsoft Azure Key Vault, HashiCorp Vault, or Google Cloud KMS. This approach provides an additional layer of security and makes it easier to comply with privacy policies, regulatory requirements, and contractual obligations for handling private data. Creating a custom cipher is complex and requires careful testing and assistance from Global Customer Support staff. It also makes it difficult to support best practices such as key rotation. Therefore, it is recommended to use a custom cipher only when your organization's security standards require the use of a cipher that is different from the Pega Platform cipher. Regarding your concern about the encryption key, it is indeed a critical aspect. If the key is lost or compromised, it could lead to data loss as the data cannot be decrypted. Therefore, it is crucial to manage and protect encryption keys effectively. Potential risks include the unavailability of the customer master key in some situations and data loss when switching between cipher types. Therefore, it is important to activate the new keystore before deleting or disabling the active Customer Master Key and not to delete the original custom cipher or encryption keys when switching between cipher types.
Pega Platform provides robust data encryption capabilities. It is recommended to use the platform cipher with a key management service (KMS) like AWS KMS, Microsoft Azure Key Vault, HashiCorp Vault, or Google Cloud KMS. This approach provides an additional layer of security and makes it easier to comply with privacy policies, regulatory requirements, and contractual obligations for handling private data. Creating a custom cipher is complex and requires careful testing and assistance from Global Customer Support staff. It also makes it difficult to support best practices such as key rotation. Therefore, it is recommended to use a custom cipher only when your organization's security standards require the use of a cipher that is different from the Pega Platform cipher. Regarding your concern about the encryption key, it is indeed a critical aspect. If the key is lost or compromised, it could lead to data loss as the data cannot be decrypted. Therefore, it is crucial to manage and protect encryption keys effectively. Potential risks include the unavailability of the customer master key in some situations and data loss when switching between cipher types. Therefore, it is important to activate the new keystore before deleting or disabling the active Customer Master Key and not to delete the original custom cipher or encryption keys when switching between cipher types.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Key management system for application data encryption
Potential problems with keystores when using AWS KMS