Chapter 5 — Data Protection & Encryption

PART III — COMPUTE, CONTAINERS, AND IAC

5.1 Data Classification

Classification Framework

Tier 1: Public Data

• Marketing materials, press releases
• Public documentation, product information
• Customer-facing website content Controls: Standard access controls, basic logging

Tier 2: Internal Data

• Internal documentation, project plans
• Internal communications, meeting notes
• Non-sensitive operational data Controls: Internal access controls, encryption at rest

Tier 3: Confidential Data

• Customer personal information, PII
• Financial data, payment information
• Intellectual property, trade secrets Controls: Strong encryption, strict access controls, audit logging

Tier 4: Highly Sensitive Data

• Healthcare records (PHI)
• Government classified information
• Critical infrastructure control data Controls: Maximum protection, hardware security modules, segregation

Classification Process

DataClassificationWorkflow:
  Triggers:
    - New data creation
    - Data modification
    - Data movement between systems

  ClassificationRules:
    - Pattern: "\\b\\d{3}-\\d{2}-\\d{4}\\b"  # SSN pattern
      Classification: "PHI"
      Action: "Encrypt_and_restrict"

    - Pattern: "\\b4[0-9]{12}(?:[0-9]{3})?\\b"  # Credit card
      Classification: "PCI"
      Action: "Tokenize_and_encrypt"

    - Pattern: "confidential|proprietary|secret"
      Classification: "Confidential"
      Action: "Apply_RBAC"

5.2 Encryption Strategy

Encryption-at-Rest Implementation

Database Encryption

DatabaseEncryption:
  MySQL:
    EncryptionType: "TDE"
    KeyManagement: "AWS KMS"
    KeyRotation: "Annually"
    BackupEncryption: "Enabled"

  PostgreSQL:
    EncryptionType: "Transparent Data Encryption"
    KeyManagement: "Azure Key Vault"
    ColumnLevelEncryption: "PCI_Data"

  DynamoDB:
    EncryptionType: "AWS-Managed CMK"
    CustomerManagedCMK: "Optional"
    PointInTimeRecovery: "Enabled"

Object Storage Encryption

{
  "s3_encryption_policy": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "DenyUnencryptedObjectUploads",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::secure-bucket/*",
        "Condition": {
          "StringNotEquals": {
            "s3:x-amz-server-side-encryption": [
              "AES256",
              "aws:kms"
            ]
          }
        }
      }
    ]
  }
}

Encryption-in-Transit

TLS Configuration Standards

TLSConfiguration:
 MinimumVersion: "TLS_1_3"
 PreferredCiphers:
 # Post-Quantum Hybrid Ciphers (combines classical + PQ algorithms)
 - "TLS_AES_256_GCM_SHA384_MLKEM768" # Kyber-768 hybrid
 - "TLS_CHACHA20_POLY1305_SHA256_MLKEM768" # Kyber-768 hybrid
 - "TLS_AES_128_GCM_SHA256_MLKEM512" # Kyber-512 hybrid

 # Fallback to classical ciphers for compatibility
 - "TLS_AES_256_GCM_SHA384"
 - "TLS_CHACHA20_POLY1305_SHA256"
 - "TLS_AES_128_GCM_SHA256"
 KeyExchange:
 # NIST-approved PQ key exchange algorithms
 Primary: "ML-KEM-768" # FIPS 203 (formerly Kyber)
 Fallback: "ML-KEM-1024" # Higher security level
 HybridMode: "Enabled" # Combines X25519/P-256 with ML-KEM
 ClassicalAlgorithms:
 - "X25519" # For hybrid mode
 - "P-256" # NIST curve for compatibility
 Signatures:
 # Post-Quantum Digital Signatures
 Primary: "ML-DSA-65" # FIPS 204 (formerly Dilithium3)
 Alternative: "SLH-DSA-128s" # FIPS 205 (formerly SPHINCS+)
 FallbackClassical: "ECDSA-P256" # For compatibility
 CertificateManagement:
 Provider: "AWS Certificate Manager"
 AutoRenewal: "Enabled"
 Monitoring: "Certificate_Health_Checks"
 # PQ Certificate Support
 CertificateType: "Hybrid" # Contains both classical and PQ keys
 PQAlgorithm: "ML-DSA-65" # PQ signature algorithm
 ClassicalAlgorithm: "RSA-3072" # Classical fallback

 # Certificate chain considerations
 ChainValidation:
 - "Validate_Classical_Signature"
 - "Validate_PQ_Signature"
 - "Require_Both_For_Full_Trust"

 # Key rotation strategy
 KeyRotation:
 Frequency: "Annually"
 PQKeySize: "1312_bytes" # ML-DSA-65 public key size
 GracePeriod: "30_days" # Dual-cert overlap period
 MutualTLS:
 Enabled: "For_Sensitive_APIs"
 ClientCertificates: "Managed_by_Corporate_CA"

Key Management Strategy

Encryption Key Hierarchy:

graph TD
  %% Classes
  classDef root fill:#fce7f3,stroke:#db2777,stroke-width:2px,color:#9d174d
  classDef kek fill:#dbeafe,stroke:#2563eb,stroke-width:2px,color:#1e40af
  classDef dek fill:#d1fae5,stroke:#059669,stroke-width:2px,color:#065f46
  classDef data fill:#f3f4f6,stroke:#374151,stroke-width:2px,color:#1f2937
  %% Styling
  linkStyle default stroke:#9ca3af,stroke-width:2px,color:white

  HSM["Cloud HSM / Root of Trust"]:::root
  CMK["Customer Master Key (CMK)"]:::kek
  DEK["Data Encryption Key (DEK)"]:::dek
  EncData["Encrypted Data"]:::data

  HSM -->|Protects| CMK
  CMK -->|Encrypts/Decrypts| DEK
  DEK -->|Encrypts/Decrypts| EncData

5.3 Backup & Disaster Recovery

Backup Strategy

3-2-1 Backup Rule

• 3 copies of data (1 primary + 2 backups)
• 2 different media types (cloud + local/offline)
• 1 off-site backup (different geographic region)

Automated Backup Configuration

BackupStrategy:
  DatabaseBackups:
    Frequency: "Daily"
    Retention: "30_days"
    CrossRegionReplication: "Enabled"
    PointInTimeRecovery: "15_minute_granularity"

  ObjectStorageBackups:
    Frequency: "Continuous"
    Versioning: "Enabled"
    CrossRegionReplication: "Enabled"
    LifecyclePolicies:
      - Transition_to_IA: "30_days"
      - Transition_to_Glacier: "90_days"
      - Delete_after: "2555_days"  # 7 years

  VirtualMachineBackups:
    Frequency: "Daily"
    IncrementalBackups: "Hourly"
    ApplicationConsistent: "Enabled"
    TestRestores: "Monthly"

Disaster Recovery Testing

Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

System Tier	RTO	RPO	Backup Strategy
Critical Systems	< 1 hour	< 15 minutes	Real-time replication
Important Systems	< 4 hours	< 1 hour	Hourly snapshots
Essential Systems	< 24 hours	< 4 hours	Daily backups
Non-critical Systems	< 72 hours	< 24 hours	Weekly backups