This page applies to Appian Cloud only. It may not reflect the differences with Appian Government Cloud. |
Disk encryption protects information stored on computer disks by encrypting every bit of data. It transforms human-readable information on the drive to unreadable, seemingly randomized characters. If an encrypted disk is lost or stolen, the disk remains encrypted, and only authorized users are able to access and decipher its contents.
This page provides information about standard disk encryption for Appian Cloud. It also documents the Bring Your Own Key (BYOK) feature for Advanced or Enterprise Support customers who want to manage their own encryption keys.
Appian Cloud also offers database encryption for customers who want to add an extra layer of encryption at the database level.
Appian uses full disk encryption in Appian Cloud. Data at rest is protected for Appian Cloud environments at the disk level using industry standard algorithms, such as AES, at key lengths considered to be strong for that algorithm. For example, 128-bit or 256-bit.
Disk encryption covers all data stored on disk in Appian by all Appian features. All the disks that contain your data will be encrypted and their encryption keys stored in a secured location within Appian Cloud.
Note: The Bring Your Own Key (BYOK) feature is available to customers that are on Advanced or Enterprise Support. Appian customers must purchase Advanced or Enterprise Support to use the functionality described below. The functionality described below is not included in the base Appian platform.
Appian Cloud provides Bring Your Own Key (BYOK) for disk encryption using AWS Key Management System (KMS). This page provides a summary of the offering, along with procedural steps to guide you through the process to take advantage of this feature.
With BYOK, you now have decryption control of the disk that contains your data. You may use your own encryption keys to secure the disk that stores your data within your Appian Cloud environments. Appian Cloud disk encryption functionality supports the use of AWS Key Management Service (KMS) hosted in the region of your Appian Cloud environment(s).
Below, we will give a summary of AWS Key Management Service (KMS), as well as the procedural steps to set up its use.
Amazon's Key Management Service allows you to abstract away the complexity of other BYOK options by exposing the key functionality via an API. For the purposes of Appian Cloud, you may use an AWS Customer Master Key (CMK) in order to control access to your environments.
In this configuration option, Appian Cloud will utilize your AWS CMK in 2 ways:
Appian Cloud leverages the KMS API to generate a data key using your CMK. This data key is used to encrypt your data. All use of the data key to perform encryption operations occurs on the Appian Cloud environments that store your data. Furthermore, invocation of the KMS API to generate the data key and decrypt the data key also occur on the Appian Cloud environments that store your data.
Below is the process of data key generation. As shown in the diagram, upon the migration to a Bring Your Own Key setup, Appian will programmatically generate this data key and subsequently store the encrypted copy in a secure credential store within Appian Cloud.
After the data for your Cloud environment instance(s) has been encrypted, we will decrypt the data on each subsequent startup of your environment.This process is show below:
Steps | Description | Organizational Role |
---|---|---|
Create a support case | Open a support case with Appian Support to enable Bring Your Own Key.
Include the following information:
|
Your Business Relationship Owner |
Generate policy statement | Appian Support will create an IAM User within Appian Cloud that will be used exclusively with your Appian environment. Your technical support contact will provide you with the KMS Key Policy Statement that will need to be added to your created KMS CMK (next step). | Appian Support |
Creation of the KMS CMK |
Once your Advanced or Enterprise support contact has provided a key policy statement, you are set to create the KMS Customer Master Key that will be used with your environment. Engage your AWS Administrator to create this key and add the provided key policy statement to it. You may reference AWS documentation on how to create a CMK and add this policy statement to it.
Below are the constraints for the CMK:
Once the CMK has been created, please post the Amazon Resource Number (ARN) into the Appian Cloud Support Case. |
Your AWS Administrator |
Please follow the prerequisites listed above. Contact Appian Technical Support with any questions.
Yes, BYOK can be configured on existing environments. All data from the existing environment will need to be moved to a new disk that will be encrypted with the new encryption key. Consequently, this requires close coordination with Appian Technical Support during the transition.
Appian Cloud will only store the encrypted Data Encryption Key. If Appian is unable to unwrap/decrypt the Data Encryption Key, Appian won’t be able to decrypt the disk storing your data and the environment will be unavailable.
If the key is lost, all the data, including all backups, would be unrecoverable.
No, decryption of Data Encryption Key(s) is not necessary after the disk is open, which occurs on each startup of your environment. The decrypted Data Encryption Key will remain present in kernel memory for read and write operations.
Use of Amazon's built-in automatic CMK key rotation is supported for the AWS KMS configuration only. This type of rotation maintains access to the old key for decryption regardless of the rotation of the underlying material, and also maintains the same key metadata. Manual key rotation is not supported.
Appian Cloud Disk Encryption