CUEDIn automatically encrypts all data before it is written to disk. There is no setup or configuration required and no need to modify the way you access the service. The data is automatically and transparently decrypted when read by an authorized user.
With server-side encryption, CUEDIn manages the cryptographic keys on your behalf using the same hardened key management systems that we use for our own encrypted data, including strict key access controls and auditing. Each CUEDIn object's data and metadata is encrypted under the 256-bit Advanced Encryption Standard, and each encryption key is itself encrypted with a regularly rotated set of master keys.
Server-side encryption can be used in combination with client-side encryption. In client-side encryption, you manage your own encryption keys and encrypt data before writing it to CUEDIn. In this case, your data is encrypted twice, once with your keys and once with the CUEDIn’s keys.
To protect your data as it travels over the Internet during read and write operations, we use Transport Layer Security (TLS).
The CUEDIn Platform encrypts customer data stored at rest by default, with no additional action required from you. We offer a continuum of encryption key management options to meet your needs. This page helps you identify the solutions that best fit your requirements for key generation, storage, and rotation; whether you are choosing for your storage, compute, or big data workloads. Encryption should be used as one piece of a broader data security strategy.
Data in the CUED-In Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at CUEDIn, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK). Customers can choose which key management solution they prefer for managing the KEKs that protect the DEKs that protect their data.