Operations, Security & Reliability

Encryption, Secrets, and Auditing

Database protection is layered: encryption limits disclosure in particular threat paths, secret management controls who can authenticate or decrypt, auditing preserves accountable evidence, and minimization reduces what an attacker or operator can obtain at all.
  • Name the adversary and the boundary for every encryption layer.
  • Encryption at rest does not stop an authorized query.
  • Keys and credentials have lifecycles.
  • Audit logs must resist the subject they audit.
  • Sensitive data belongs neither in logs nor broad telemetry.
  • Minimization is the strongest blast-radius reduction.
Layered threat model
LayerHelps againstDoes not by itself stop
TLS with endpoint verificationnetwork interception and tamperingcompromised endpoint or stolen credential
Volume/backup encryptionlost disks, media, raw snapshotsdatabase/app reading plaintext
Application/field encryptionselected DB/operator disclosurecompromised app/key service; metadata leakage
Secret manager + short-lived identitycredential sprawl and long exposureoverprivileged issued identity
Tamper-resistant audit sinkrepudiation and local log deletionthe original data access
Minimization/tokenizationimpact of compromisemisuse of retained cleartext
Key and credential lifecycle
Audit event contract
event_id, occurred_at_utc, authenticated_principal, assumed_role
action, object_type, object_id_or_token, authorization_decision
source_service, source_address_class, request_id, trace_id, outcome
policy_version, database_instance, immutable_sink_sequence

Never include passwords, private keys, raw payment data, or unrestricted bind values.