Skip to content

Securing Stored Data - Encrypted Central Vault

The encrypted credential vault forms the core of Securden Password Vault , Unified PAM, and Enterprise PAM solutions. The vault is a completely access controlled, highly available server instance hosted on AWS cloud. While the business logic is handled by the server, end users can access it using a web browser.

Design of the vault

Each customer’s data is completely segregated and stored in the database. Each customer's segment can be considered a separate database since each customer’s data in the database will be encrypted using a unique encryption key.

Encryption key management

The unique encryption key is generated automatically and stored in Amazon’s Key. Management Solution and cannot be accessed by anyone outside your organization. This is ensured by enforcing the use of AWS CloudHSM keystores for encrypting and decrypting the database using the key. Whenever a customer’s data is in the queue for decryption or encryption, a separate slot is created with the corresponding key. The key is stored in an unextractable form by the key management system within the CloudHSM cluster.

Data storage

All sensitive data is stored in the digital vault in the encrypted form using AES-256 algorithm. The sensitive data is encrypted by using the encryption key at the application level. The encrypted data is securely stored inside the segmented database.

Data integrity

Each organization’s data in the database is encrypted using a unique encryption key. It cannot be accessed by anyone outside the organization. Even if unauthorized intruders manage to infiltrate, they get access only to the encrypted data. It cannot be deciphered in plain text without the encryption key.

Design Highlights

  • AES-256 data encryption
  • Each organization/client data is encrypted using unique encryption key to ensure data integrity
  • Encryption key is stored in Amazon KMS and all cryptographic operations are handled within a CloudHSM cluster