Purpose

The purpose of this policy is to establish practices for protecting Zuar data in the event of unauthorized access through the use of encryption. The policy describes the different components that can be configured to utilize encryption, the algorithm that must be used for each, and how encryption keys should be managed.

Scope

The policy applies to all systems that store or process Zuar data classified as Customer Confidential as per the Data Classification Policy.

Ownership

Engineering is responsible for implementing and maintaining this policy.

Policy Statement

All sensitive data classified according to Zuar's Data Classification policy is encrypted at rest and in transit using strong, industry-recommended algorithms. Encryption at rest is used across multiple systems and layers of the stack including le systems, le object stores, databases, third-party SaaS services, and directly in Zuar's own developed components. Encryption in motion is primarily achieved through the use of Transport Layer Security (TLS), but may include other secure protocols.

Cloud storage encryption

Third-party cloud storage such as S3 and GCS are configured with a minimum server-side encryption using the vendor's key.

All Zuar files stored in S3 are encrypted using industry-standard AES-256 encryption with AWS-managed keys. S3 encrypts each object on the server, using a unique key, and then further encrypts the keys themselves with a master key stored in AWS KMS.

Data store encryption

Data stores are configured to enable encryption at rest. Zuar utilizes Digital Ocean & AWS for hosting and storing Customer Confidential data. More information on these datacenter providers can be found at https://www.digitalocean.com/security and https://aws.amazon.com/security/, respectively.

TLS certificates and endpoints

TLS usage is evaluated on a quarterly basis using tools such as ssllabs and any grades lower than A are promptly corrected.

Strong encryption of data in transit based on TLS requires up-to-date cipher suites on any TLS-enabled endpoints. The list of suite components that must be kept updated includes the TLS version, configuration options, as well as available algorithms and key lengths. Critical vulnerabilities in older SSL and TLS versions, such as the Beast and Poodle attacks, as well as subsequent deprecations of TLS v1.0 and v1.1 over the past several years, have made securing TLS termination endpoints a necessary major focus of any strong security program.

Zuar maintains a secure and updated configuration of its TLS endpoint, and performs continuous external tests. A passing test requires TLS v1.2 or higher, and AES-128 or higher.

Data in transit encryption

Data in transit over the public Internet is encrypted with industry-standard algorithms.

All public interfaces must only be accessible over secure ports and protocols, such as TLS and ssh. Where possible, communication between Zuar Customers and Zuar's network components and software is encrypted with AES-256 or equivalent to ensure any accidental or malicious exposure of a communication channel is unreadable to unauthorized parties.

Data in transit encryption at Zuar is applied universally to all data, without consideration of that data's classification or its status as Sensitive or Regulated.

  • TLS certificates and endpoints
  • File store encryption
  • Data store encryption
  • Data in transit encryption
  • Encryption Documentation
  • File systems encryption