How does Cognite handle data encryption at rest? Is there any documentation available regarding this requirement? Additionally, concerning data encryption in transit, are there alternative approaches to TLS or MTLS?
Data Encryption at Rest/Transit
Hi,
I don’t believe we have documented this externally as of now beyond the reference at https://docs.cognite.com/cdf/trust/security/#cognite-keeps-your-data-private .
We primarily utilize the capabilities from the cloud vendors when it comes to encryption at rest. We may have taken some additional steps in key places, where we have identified additional needs, but in general it is based on the cloud vendor for the CDF cluster a project resides on. We do not currently expose any control over this through our APIs.
When it comes to data encryption in transit, we currently only expose TLS. We restrict the versions to avoid very old versions and have also removed some weak or vulnerable ciphers from our accepted list, although we do have to take into account traffic from some industrial clients that our customers find hard to keep up to date with the latest standards. We also ensure transit security within clusters by using transit-encryption, and here we have more room to use stricter configurations than what is exposed externally.
We currently do not support mTLS externally, and it is currently not on our roadmap to do so. It is a interesting alternative to further secure client traffic, but does require a bit more administration work.
Thorkild, Cognite
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.