Is Your Sensitive Data Protected
Throughout its Entire Life Cycle?

Erik Rush | April 21, 2021


These days, data is an organization’s most valuable asset—and to maintain the value of that data, it’s crucial to identify where, when and how that data is vulnerable. Vulnerability points increase the risk of data breaches, which organizations are obviously trying to avoid. 

Many of the aforementioned vulnerability points are part of a cycle which is known as the data lifecycle. The data lifecycle determines where the data resides: on-premise, in the cloud, with third-party vendors or elsewhere. Understanding where the data resides within your infrastructure is the first step in protecting the security and the privacy of that data.

The data lifecycle is an overall process that describes how data flows through an organization, as well as an important starting point for security and privacy professionals in protecting data.

Data collection—the first component of data collection—begins with the ingestion of user information. This information is collected either actively or passively. Active collection involves the user being aware of the data collection. A user filling out a web form, for example, is an example of active data collection. Passive collection involves the collection and analysis taking place after or apart from the initial active data collection, where insights regarding the user’s activity reveal patterns.

The Starting Point: Amazon CloudFront 

Many Amazon Web Services (AWS) customer workflows require ingesting sensitive and regulated data. These can include Payments Card Industry (PCI) data, personally identifiable information (PII), protected health information (PHI) as well as others. While integrating the various AWS security features and tools into a solution that will ensure security through your data’s lifecycle can seem daunting, AWS does provide resources for implementation and integration in their Solutions Library.

One method for sensitive data protection in AWS is the field-level encryption feature offered by Amazon CloudFront. This feature protects sensitive data fields in requests at the AWS network edge. The idea behind field-level encryption is to protect sensitive data fields individually, while retaining the structure of the application payload. Chosen fields are protected upon ingestion and remain protected throughout the entire application stack. The concept of protecting sensitive data early in its lifecycle in AWS is a highly sought-after security architecture; however, “CloudFront can protect a maximum of 10 fields and only within HTTP(S) POST requests that carry HTML form encoded payloads” (AWS). If an organization’s requirements exceed these native field-level encryption parameters, then field-level encryption using the Lambda@Edge feature in CloudFront can be implemented.

Key Management & Encryption

The next level is key management, an important part of any encryption solution. To address that, AWS Key Management Service (AWS KMS) simplifies matters and offers improved security posture and operational benefits. Here, data can be protected in-transit over individual communications channels using transport layer security (TLS), and at-rest in individual storage silos using volume encryption, object encryption or database table encryption. 

Sensitive workloads may require additional protection that can follow the data as it moves through the application stack; data protection techniques like field-level encryption protect sensitive data fields in larger application payloads while leaving non-sensitive fields in plain text. 

Comprehensive Lifecycle Protection

AWS provides detailed implementation information for this solution, but it is evident that in addition to significantly enhancing an organization’s data security posture, this protection can also help in compliance with data privacy regulations applicable to the organization. Since companies author their own Lambda@Edge functions to perform standard RSA encryption, there’s flexibility in terms of payload formats and the number of fields that managers may consider sensitive.

Through the use of encrypted fields with identifiers, you can create fine-grained controls for data accessibility to meet the security principle of least privilege. In other words, instead of granting either complete access or no access to data fields, you can ensure least privileges where discrete sections of an application can only access the fields that it needs, including singular field-by-field access.

Order of the Cipher is an Amazon Web Services (AWS) training company and a novel approach to cybersecurity training that combines theatrical presentation with proven teaching techniques. We’ve mastered Amazon Web Services, and we’ve perfected how to showcase the versatility and capability of AWS technology in a manner that provides real-world immersion experiences that prepare students to expertly navigate the AWS ecosystem.


Order of the Cipher: Ep 01 Cybersecurity, Tech, and AWS Podcast. Filmed at the Cipher Suite.

Order of the Cipher: Ep 02 AWS, Cybersecurity, and Tech Podcast. Hacking, Coding, and IT humor.

Cybersecurity, Tech, and AWS Podcast. Filmed at the Cipher Suite.