Operations, Security & Reliability
Encryption, Secrets, and Auditing
Database protection is layered: encryption limits disclosure in particular threat paths, secret management controls who can authenticate or decrypt, auditing preserves accountable evidence, and minimization reduces what an attacker or operator can obtain at all.
- Name the adversary and the boundary for every encryption layer.
- Encryption at rest does not stop an authorized query.
- Keys and credentials have lifecycles.
- Audit logs must resist the subject they audit.
- Sensitive data belongs neither in logs nor broad telemetry.
- Minimization is the strongest blast-radius reduction.
| Layer | Helps against | Does not by itself stop |
|---|---|---|
| TLS with endpoint verification | network interception and tampering | compromised endpoint or stolen credential |
| Volume/backup encryption | lost disks, media, raw snapshots | database/app reading plaintext |
| Application/field encryption | selected DB/operator disclosure | compromised app/key service; metadata leakage |
| Secret manager + short-lived identity | credential sprawl and long exposure | overprivileged issued identity |
| Tamper-resistant audit sink | repudiation and local log deletion | the original data access |
| Minimization/tokenization | impact of compromise | misuse of retained cleartext |
event_id, occurred_at_utc, authenticated_principal, assumed_role
action, object_type, object_id_or_token, authorization_decision
source_service, source_address_class, request_id, trace_id, outcome
policy_version, database_instance, immutable_sink_sequence
Never include passwords, private keys, raw payment data, or unrestricted bind values.