nw-security-and-governancelisted

# Security and Governance ## Defense-in-Depth Security Model Layered security, each layer provides independent protection: 1. **Encryption at rest** (TDE) — protects against physical media theft 2. **Encryption in transit** (TLS/SSL) — protects against network interception 3. **Access control** (RBAC/ABAC) — enforces least privilege 4. **SQL injection prevention** — protects against application-layer attacks 5. **Audit logging** — accountability and forensic capability ## Encryption at Rest (TDE) Encrypts DB files on disk without application changes. Encrypts data pages before writing, decrypts on read into memory. AES 128/256-bit symmetric encryption. Transparent to applications. ### Key Hierarchy (SQL Server) 1. Service Master Key (Windows DPAPI) -> 2. Database Master Key -> 3. Certificate -> 4. Database Encryption Key (DEK) ### Implementation ```sql -- SQL Server TDE (key hierarchy: Service Master Key -> DB Master Key -> Certificate -> DEK) CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE TDE_Cert; ALTER DATABASE [YourDB] SET ENCRYPTION ON; -- PostgreSQL: pgcrypto for column-level, full TDE in v17+ | Oracle: ALTER SYSTEM SET ENCRYPTION KEY ``` ### Best Practices - Back up certificates/keys immediately — loss means unrecoverable data - Store backups in separate secure location | Implement key rotation policy - Use customer-managed keys (BYOK) for regulatory compliance - Monitor performance impact (typically 3-5% overhead) -