Appian Cloud Database Encryption

Introduction

Appian Cloud sites provisioned with MariaDB as the database in Appian Cloud have the option to enable data-at-rest encryption in the database. This functionality is available for Premier and Premier Plus customers. This page provides an overview of the offering along with steps to leverage the feature.

Feature overview

With the database encryption feature, your data in the Appian Cloud database can be stored in an encrypted state at rest. For the tables you choose to encrypt, the data will not be written to disk in plaintext. The encryption and decryption of data will be performed when the SQL statements are executed. Thus, in addition to disk encryption on Appian Cloud, customers will receive an extra layer of protection against file extraction and unauthorized file read operations. The data in your database can only be accessed via authenticated SQL queries. This feature is also referred to as Transparent Data Encryption (TDE), since this form of database encryption is transparent to the application layer. Any queries performed via phpMyAdmin or other database clients will continue to show decrypted output. No Appian application changes are required to leverage the functionality.

Additionally, due to the Bring Your Own Key functionality with AWS Key Management Service, Appian will make an API call to request your Customer Managed Key in AWS to start the database. This will enable you to audit every request to start the database and empower you to disable the start up of your database in Appian Cloud. Customers who choose to use database encryption functionality will need to manage the encryption keys using their own AWS Key Management Service account. AWS CloudHSM Hardware Security Module (HSM) is not supported for use with data-at-rest encryption in the Appian Cloud database.

Appian Cloud leverages MariaDB's built-in data-at-rest encryption functionality with AWS Key Management Plugin. More details about the encryption feature can be found on MariaDB's data-at-rest encryption page.

Architecture

Appian Cloud database encryption uses AWS Key Management Service to manage the keys. AWS Key Management Service exposes key functionality via an API. For the purposes of Appian Cloud, AWS Customer Managed Key can be used to control access to the database. Appian Cloud database uses your Customer Managed Key for the following purposes:

  1. To generate the data encryption key (DEK) during the first startup
  2. To decrypt the data encryption key (DEK) on subsequent restarts

The following diagrams describe the steps taken during the database startup:

Steps

Peform the following steps to enable encryption on your Appian Cloud database:

Step Description Owner
Determine encryption parameters Choose your encryption strength and default encryption for tables. Available parameters are described in the setup parameters section. Customer
Create a support case Create a support case with Appian to enable database encryption. Provide details about the chosen setup parameters. Customer
Generate policy statement If it is not already created, Appian Premier Support will create an IAM User within Appian Cloud that will be used exclusively with your Appian environment. Your technical support contact will provide you with the KMS Key Policy Statement that will need to be added to your created KMS CMK (next step). Appian Premier Support
Creation of the KMS CMK Once your Premier Support contact has provided a key policy statement, you are set to create the KMS Customer Master Key that will be used for database encryption. Engage your AWS Administrator to create this key and add the provided key policy statement to it. You may reference AWS documentation on how to create a CMK and add this policy statement to it.
Below are the constraints for the CMK:
  1. Must be Symmetric
  2. Must be created in the same AWS region as your Appian Cloud Environment
The Key Policy statement will give us permission to utilize your key in order to generate data keys and run decryption operations.
Once the CMK has been created, please post the Amazon Resource Number (ARN) into the Appian Cloud Support Case.
Customer
Appian Cloud site restart Your site will need to be restarted in order for encryption to apply. Appian Premier Support

Setup parameters

In the support case you create to enable database encryption, you can specify the encryption parameters to override the defaults. Following parameters are available:

Default encryption for tables

This parameter controls whether all the tables in your database are encrypted by default. Valid values are:

  • OFF: Only the tables manually created/altered by you with ENCRYPTED=YES option via a SQL statement will be encrypted. The rest of the tables in your database will remain unencrypted. OFF is the recommended value for the default encryption parameter if you want to encrypt only specific tables in your database. Since there is a performance overhead for encrypting and decrypting the data, you may want to encrypt only the tables with sensitive data. For example, you can create an encrypted table using the following SQL statement:
1
2
3
4
CREATE TABLE t1 (
   id int PRIMARY KEY,
   name varchar(255)
) ENCRYPTED=YES
  • ON: All the database tables in your Appian Cloud database will be encrypted by default, unless a table is created/altered explicitly with ENCRYPTED=NO option via a SQL statement. Choosing this value for default encryption parameter will also encrypt the existing database tables on your site. This includes tables that contain your business data, and tables that contain Appian metadata. ON is the recommended value for the default encryption parameter if you want to encrypt the entire database, except a few large tables. For example, you can create an unencrypted table explicitly by using the following SQL statement:
1
2
3
4
CREATE TABLE t1 (
   id int PRIMARY KEY,
   name varchar(255)
) ENCRYPTED=NO
  • FORCE: All the database tables in your Appian Cloud database will be encrypted by default. A table cannot be created/altered with ENCRYPTED=NO option via a SQL statement. Choosing this option will also encrypt the existing database tables on your site. This includes tables that contain your business data, and tables that contain Appian metadata. FORCE is the recommended value for the default encryption parameter if you want to ensure all the tables in your database are always encrypted.

If the default encryption parameter is not specified, the value is set to ON by Appian.

Encryption algorithm

This parameter controls the encryption algorithm used to encrypt the data. Either AES 256 or AES 128 algorithm can be selected. If this parameter is not specified, the default value used by Appian is AES 256.

Additional details

Key rotation

  • CMK Rotaton: Use of Amazon's built-in automatic AWS CMK rotation is supported. This type of rotation maintains access to the old key for decryption regardless of the rotation of the underlying material, and also maintains the same key metadata. Manual key rotation is not supported.

  • DEK Rotation: Customers can rotate the Data Encryption Key (DEK) used for encryption of database tables by executing a stored procedure. You can execute CALL AppianProcess.rotateEncryptionKey(-1) in phpMyAdmin to rotate all the keys. If you have created tables with specific key IDs, you can pass the key ID to the stored procedure instead of passing -1, to rotate that specific key.

Disabling encryption

To disable database encryption on your Appian Cloud site, please open a support case with Appian. Depending on the value of default encryption parameter chosen, different steps need to be followed in order to disable encryption. Your Premier Support contact will guide you through the steps to be taken. Do not disable your AWS Customer Managed Key before you disable database encryption.

Encryption of database logs

  • Binary Log: When database encryption is enabled, the database the binary log produces output in encrypted format.

  • Audit Log: Appian Cloud maintains full Cloud database audit log for compliance purposes. The database audit log does not automatically produce an encrypted output when database encryption is enabled. However, Appian will encrypt the database audit log file at an hourly interval using the same AWS Customer Managed Key as provided by the customers for database encryption. Thus, your database audit log files will not be stored in plaintext. Please note that the Cloud database requests log that captures requests to the business data source and is typically available for Appian Cloud customers in <APPIAN_HOME>/logs/audit/rdbms directory, is disabled when the database encryption is enabled. The Cloud database requests log is disabled to ensure that no data is retained on disk in plaintext.

  • Error Log: The database error log does not produce encrypted output when encryption is enabled. However, Appian will encrypt the database error log file at an hourly interval, using the same AWS Customer Managed Key as provided by the customers for database encryption. Thus, your database error log files will not be stored in plaintext.

Transport layer encryption

The data in transit between Appian Cloud database (MariaDB) and the clients is encrypted using the Transport Layer Security (TLS) protocol. No additional configuration is required to enable security for data in transit.

Performance impact

A small performance impact on the database is expected when encryption is enabled. This is due to the processing that goes into encrypting and decrypting your data at runtime. Thus, it is advisable to use the database encryption feature only when strictly required for compliance reasons.

Data sync and search server

Using data sync feature for Record Type object creates a copy of Record data in the data server. The data server does not currently support database encryption. Thus, if you do not intend to store business data for a particular Record Type in plaintext on disk, data sync feature should not be used with the corresponding Record Type.

Similarly, encryption of data is not supported in the search server, which indexes data to enable faster search in some areas of the product. Search server currently indexes design objects metadata, Appian user activity, News feed entries and CDT field names with document extraction feature. If you use News feed features and write business data to the feed, that data will be stored unencrypted in the search server. Similarly, if you use the document extraction feature, the Custom Data Type (CDT) field names and the document field names (not the values in the fields) are indexed into the search server. If the document extraction feature is used, the corresponding CDT field names will be stored unencrypted in the search server.

Open in Github

On This Page

FEEDBACK