Sleep tight, your data is secure, part 3 – Data Storage Security
To make Invoicebus a place where its customers would feel safe and sound, we’ve built a little fortress around its data. We reveal a tiny, but interesting part of its architecture.
Data Storage Security
In our case, data storage security refers to the way of keeping and managing customer’s data within the database: invoices, quotes, clients, company details etc.
These kinds of sensitive information are kept in a form that is encrypted by the Advanced Encryption Standard (AES) – first open symmetric-key cipher approved by the National Security Agency (NSA) and used by the US federal government for storing secret information.
The human way of showing how this thing works is by the picture below:
We use the words lock, unlock as a way to visualize the meaning of encryption, decryption process of the powerful AES algorithm respectively.
The security key is kept encrypted (with RSA algorithm) in a separate, isolated place (on a different server protected by other security mechanisms and firewalls). Every time when AES needs to lock/unlock data, it requires the decrypted form of his key.
Hypothetically spoken, if security breach happens to the database server, the attacker would not be able to retrieve any meaningful data without this key, unless he has Dan Brown’s TRANSLATR at home.
Other aspects of Data Storage Security
Backups and redundancy are closely related to the Data Storage Security, but will be covered in the upcoming part 5 – Hosting Server Security.
Part 4 and 5 of this security talk series will be continued after the Invoicebus launch.