Encrypted file/document storage options for asp.net core website?
Hi guys, I'm maintaining an asp.net core website and I've been told it's a requirement to encrypt stored documents "at rest".
Currently we generate pdf's and store on the server disk, and serve them via the asp.net website.
I'm very unfamiliar with modern document storage and looking for some suggestions to go research.
What do you guys use?
Could I just add bitlocker to the server drive and be done with it? Or does that come with big performance hit?
Cheers
19 Replies
$itdepends
somtimes something like "bitlocker" is enough, it's encrypting the disk, where if you lost the access to physical hardware, and someone took the drive out and plugged it into another machine, it'd not be readable.
in the event of a breach, bitlocked data is still in the blast radius.
is cloud storage an option?
I've just checked and cloud storage is only an option if you can self host the cloud app
I figured as much
Ideally, bitlocker, and other such tech is enough
otherwise, you'll need to look into a number of audit processes around key management and such
@cow Can you store keys in the cloud?
yes keys we can store in the cloud
So, that gives you the audit scenario
for a starting point i'll look into adding a dedicated filestorage drive to the server and bitlocker that (rather than bitlockering the OS drive)
There's a LOT of options here; really it depends on what you're encrypting and the supervising bodies.
Who is telling you that you have to encrypt?
3rd party audit company
kk
for what cert?
SAS70? SAS70 Type II? sarbox?
unsure, but the guy is coming in after christmas to discuss so will find all the details, just wanted to research myself in advance
NB: Auditors will have a control that you need to satisfy, the implementation is up to your company.
So, for example, an auditor will say, files have to be encrypted at rest, and you'll say....
We use bitlocker according to these guidelines <blah blah blah>And the auditor might say, that's not good enough, you need an auditable access system.
ah right, understood
thanks for the discussion
Think about things like, if you need an HSM, you need two HSM's
you won't need an HSM, because you can get a cloud hsm
your cloud hsm can likely act as the auditable access control
Auditable means they can do what with it exactly, what they cannot do bitlocker?
How did you figure that?
From an encrypted at rest perspective with bitlocker the file is accessible via a number of mechanisms that would elude auditing.
Access keys in a hardware device ( in theory ) requires a process where some acl/rbac logs the identity of who or what process is checking out a key. This is about satisfying an audit IT control; not the practical nature of how it's satisfied.
I've worked in compliance before.
Cool, can you tell the reasons? I wanna understand.
Self hosted means on prem?
I'm respond in detail later, I'm headed to bed, it's 0300 my time
This usually comes down to things like "COBIT" and "ITIL". There are number of IT governance options in the cloud; but extending your existing set of COBIT/ITIL controls to the cloud is, in itself an entirely separate journey; there's typically a lot of up front costs.
https://en.wikipedia.org/wiki/COBIT
https://en.wikipedia.org/wiki/ITIL
For example, in azure, https://learn.microsoft.com/en-us/azure/governance/policy/samples/pci-dss-3-2-1 is a "policy initiative" which relates to PCI/DSS ( payment card compliance stuff ).
But then also consider: https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-hipaa-us#azure-and-hipaa
There is currently no certification program approved by the US Department of Health and Human Services (HHS) through which a CSP acting as a business associate could demonstrate compliance with HIPAA and the HITECH Act.Compliance, on prem, and in the cloud is a pretty complex topic.