Symmetric encryption uses the same key for both encryption and decryption which is efficient but requires secure key distribution. Asymmetric encryption uses a pair of keys, a public key to encrypt and a private key for decryption which is ideal for secure key exchanges. ## Key Management Solutions Cloud key Management Services (KMS) and Hardware Security Modules (HSM) are critical for secure key management. KMS services allow you to create, rotate, disable, and manage encryption keys, providing audit logging, and access controls. HSMs offer physically secure devices for storing and managing cryptographic keys. ## Hashing for Integrity Hashing is a one-way cryptographic transformation of data used to guarantee its integrity. It generates a fixed-size string (hash value) that is practically impossible to reverse or tamper with. ## Applications of Hashing - Password Storage: - Store hashed passwords instead of plaintext passwords to enhance security. - Data Verification: Use hashing to create checksums that verify the integrity of files or data transfers. When a user logs in the system hashes the entered password and compares it with the stored hash. This process ensures that even if the database is breached, the plaintext passwords remain unrevealed. ## Data Obfuscation Data obfuscation techniques protect sensitive information while allowing non-sensitive data to be usable for analytics or testing. ## Making vs. Anonymization **Data Masking**: Replaces sensitive data with scrambled or masked values. For example, masking a credit card number might result in XXXXXX1111, where only the last four digits are visible. This allows devs and analysts to work with the data without exposing sensitive information. **Anonymization**: Removes personal identifiers entirely, ensuring the data cannot be traced back to an individual. This often involves removing or generalizing personal data to adhere to privacy regulations. **Tokenization**: Substitutes sensitive data with a non-sensitive equivalent, called a token, which can be mapped back to the original data through a secure vault. By using tokens for data like credit card numbers, businesses reduce exposure to theft or misuse, as sensitive data is stored securely elsewhere and access is restricted. ## Capabilities of Data Loss Prevention (DLP) Systems: - Data Monitoring: Continuously inspect data in transit and at rest for unauthorized transmission. - Policy Enforcement: Apply security policies to block or alert on potential data breaches. ## Keys, Secrets, & Certificate Management Managing keys, secrets, and certificates is vital for ensuring the secure operation of applications and infrastructure in the cloud. This involves controlling access to API keys, credentials, and certificates to prevent unauthorized usage. ## Secrets Management Services These services provide a centralized way to manage, access, and audit secrets. By securely storing and controlling access to these secrets, organizations can minimize the risk of leaks or unauthorized access. | Technology | Purpose | Example Use | | ------------ | -------------------------- | ------------------------------------------- | | Encryption | Confidentiality | Secure data in transit and at rest | | Hashing | Integrity | Verify file checksums | | Data Masking | Data Obfuscation | Protect credit card details in databases | | Tokenization | Sensitive Data Replacement | Store tokens instead of credit card numbers |