Bring the right tools to your development team.
What critical capabilities should you think about when evaluating sensitive data solutions and tools for your development team?
Start by looking at a Privacy First Design, Security Kernels, and Vaults for storing sensitive data.
A Privacy First Design ensures that data users prove control over various vectors of their identity before they may gain access to the data you hold on them. Security Kernels are a small, attested code base designed to run in hardware-enforced enclaves. Vaults are a secure storage concept that are defined on a per-relationship level and are protected by a unique encryption key.
Privacy First Design includes a philosophy towards design that ensures that no action is required from an individual to protect data security; security is built into the system by default.
How can this be implemented from a technology perspective to allow for at-scale and networked systems? Within your architecture, microservices must use a SPIFFE identity, and utilize a sidecar to control admission and policy. Through these capabilities, you can whitelist connections and implicitly prohibit unrecognized endpoints.
The use of Security Kernels offers a layer of abstraction for operations dealing with key-material such as generating digital signatures, decryption, and hashing. By design, they offer a very narrow, abstract interface to facilitate verification and audit. They also support pluggable enclaves and attestation mechanisms for tamper and clone resistant operations.
Vaults allow you to secure your sensitive data as each unique vault has specific properties surrounding access control, security, and its own discrete encryption key. By having a unique encryption key, you can promote severability.
By using these three critical capabilities, sensitive data is never available outside of the trusted network.
To learn more about a Privacy First Design, Security Kernels, and Vaults & how Manetu can help, request a demo.