C#•2y ago

Encrypted file/document storage options for asp.net core website?

Hi guys, I'm maintaining an asp.net core website and I've been told it's a requirement to encrypt stored documents "at rest".

Currently we generate pdf's and store on the server disk, and serve them via the asp.net website.

I'm very unfamiliar with modern document storage and looking for some suggestions to go research.

What do you guys use?

Could I just add bitlocker to the server drive and be done with it? Or does that come with big performance hit?

Cheers

Mayor McCheese•12/20/23, 9:39 PM

$itdepends

MMayor McCheese $itdepends

MODiX•12/20/23, 9:39 PM

https://cdn.discordapp.com/attachments/569261465463160900/826859856719380500/1niu5wN.png

Mayor McCheese•12/20/23, 9:40 PM

somtimes something like "bitlocker" is enough, it's encrypting the disk, where if you lost the access to physical hardware, and someone took the drive out and plugged it into another machine, it'd not be readable.

Mayor McCheese•12/20/23, 9:40 PM

in the event of a breach, bitlocked data is still in the blast radius.

Mayor McCheese•12/20/23, 9:42 PM

is cloud storage an option?

cowOP•12/20/23, 9:54 PM

I've just checked and cloud storage is only an option if you can self host the cloud app

Ccow I've just checked and cloud storage is only an option if you can self host the c...

Mayor McCheese•12/20/23, 9:54 PM

I figured as much

Mayor McCheese•12/20/23, 9:55 PM

Ideally, bitlocker, and other such tech is enough

Mayor McCheese•12/20/23, 9:55 PM

otherwise, you'll need to look into a number of audit processes around key management and such

Mayor McCheese•12/20/23, 9:56 PM

@cow Can you store keys in the cloud?

cowOP•12/20/23, 9:57 PM

yes keys we can store in the cloud

Mayor McCheese•12/20/23, 9:58 PM

So, that gives you the audit scenario

cowOP•12/20/23, 9:58 PM

for a starting point i'll look into adding a dedicated filestorage drive to the server and bitlocker that (rather than bitlockering the OS drive)

Mayor McCheese•12/20/23, 9:58 PM

There's a LOT of options here; really it depends on what you're encrypting and the supervising bodies.

Mayor McCheese•12/20/23, 9:58 PM

Who is telling you that you have to encrypt?

cowOP•12/20/23, 9:59 PM

3rd party audit company

Mayor McCheese•12/20/23, 9:59 PM

for what cert?

Mayor McCheese•12/20/23, 9:59 PM

SAS70? SAS70 Type II? sarbox?

cowOP•12/20/23, 10:00 PM

unsure, but the guy is coming in after christmas to discuss so will find all the details, just wanted to research myself in advance

Ccow 3rd party audit company

Mayor McCheese•12/20/23, 10:00 PM

NB: Auditors will have a control that you need to satisfy, the implementation is up to your company.

Mayor McCheese•12/20/23, 10:02 PM

So, for example, an auditor will say, files have to be encrypted at rest, and you'll say....

We use bitlocker according to these guidelines <blah blah blah>

Mayor McCheese•12/20/23, 10:03 PM

And the auditor might say, that's not good enough, you need an auditable access system.

cowOP•12/20/23, 10:05 PM

ah right, understood

cowOP•12/20/23, 10:05 PM

thanks for the discussion

Mayor McCheese•12/20/23, 10:05 PM

Think about things like, if you need an HSM, you need two HSM's

Mayor McCheese•12/20/23, 10:06 PM

you won't need an HSM, because you can get a cloud hsm

Mayor McCheese•12/20/23, 10:06 PM

your cloud hsm can likely act as the auditable access control

MMayor McCheese So, for example, an auditor will say, files have to be encrypted at rest, and yo...

DΣX•12/21/23, 7:40 AM

Auditable means they can do what with it exactly, what they cannot do bitlocker?

MMayor McCheese I figured as much

DΣX•12/21/23, 7:41 AM

How did you figure that?

DDΣX Auditable means they can do what with it exactly, what they cannot do bitlocker?

Mayor McCheese•12/21/23, 7:55 AM

From an encrypted at rest perspective with bitlocker the file is accessible via a number of mechanisms that would elude auditing.

Access keys in a hardware device ( in theory ) requires a process where some acl/rbac logs the identity of who or what process is checking out a key. This is about satisfying an audit IT control; not the practical nature of how it's satisfied.

DDΣX How did you figure that?

Mayor McCheese•12/21/23, 7:58 AM

I've worked in compliance before.

MMayor McCheese I've worked in compliance before.

DΣX•12/21/23, 8:14 AM

Cool, can you tell the reasons? I wanna understand.
Self hosted means on prem?

DDΣX Cool, can you tell the reasons? I wanna understand. Self hosted means on prem?

Mayor McCheese•12/21/23, 8:18 AM

I'm respond in detail later, I'm headed to bed, it's 0300 my time

DDΣX Cool, can you tell the reasons? I wanna understand. Self hosted means on prem?

Mayor McCheese•12/22/23, 12:08 AM

This usually comes down to things like "COBIT" and "ITIL". There are number of IT governance options in the cloud; but extending your existing set of COBIT/ITIL controls to the cloud is, in itself an entirely separate journey; there's typically a lot of up front costs.

https://en.wikipedia.org/wiki/COBIT
https://en.wikipedia.org/wiki/ITIL

Mayor McCheese•12/22/23, 12:13 AM

For example, in azure, https://learn.microsoft.com/en-us/azure/governance/policy/samples/pci-dss-3-2-1 is a "policy initiative" which relates to PCI/DSS ( payment card compliance stuff ).

But then also consider: https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-hipaa-us#azure-and-hipaa

There is currently no certification program approved by the US Department of Health and Human Services (HHS) through which a CSP acting as a business associate could demonstrate compliance with HIPAA and the HITECH Act.

Mayor McCheese•12/22/23, 12:14 AM

Compliance, on prem, and in the cloud is a pretty complex topic.