Appian Cloud Disk Encryption

Overview

Disk encryption protects information stored on computer disks by encrypting every bit of data. It transforms human-readable information on the drive to unreadable, seemingly randomized characters. If an encrypted disk is lost or stolen, the disk remains encrypted, and only authorized users are able to access and decipher its contents.

This page provides information about standard disk encryption for Appian Cloud. It also documents the Bring Your Own Key (BYOK) feature for Advanced or Enterprise Support customers who want to manage their own encryption keys.

Appian Cloud also offers database encryption for customers who want to add an extra layer of encryption at the database level.

Appian Cloud standard disk encryption

Appian uses full disk encryption in Appian Cloud. Data at rest is protected for Appian Cloud environments at the disk level using industry standard algorithms, such as AES, at key lengths considered to be strong for that algorithm. For example, 128-bit or 256-bit.

Disk encryption covers all data stored on disk in Appian by all Appian features. All the disks that contain your data will be encrypted and their encryption keys stored in a secured location within Appian Cloud.

Bring Your Own Key for Advanced or Enterprise Support customers

Appian Cloud provides Bring Your Own Key (BYOK) for disk encryption using AWS Key Management System (KMS). This page provides a summary of the offering, along with procedural steps to guide you through the process to take advantage of this feature.

With BYOK, you now have decryption control of the disk that contains your data. You may use your own encryption keys to secure the disk that stores your data within your Appian Cloud environments. Appian Cloud disk encryption functionality supports the use of AWS Key Management Service (KMS) hosted in the region of your Appian Cloud environment(s).

Below, we will give a summary of AWS Key Management Service (KMS), as well as the procedural steps to set up its use.

AWS Key Management Service (KMS)

Amazon's Key Management Service allows you to abstract away the complexity of other BYOK options by exposing the key functionality via an API. For the purposes of Appian Cloud, you may use an AWS Customer Master Key (CMK) in order to control access to your environments.

Architecture

In this configuration option, Appian Cloud will utilize your AWS CMK in 2 ways:

1. Generating the Data Key to use for encryption of your data.
2. Decrypting the generated data key.

Appian Cloud leverages the KMS API to generate a data key using your CMK. This data key is used to encrypt your data. All use of the data key to perform encryption operations occurs on the Appian Cloud environments that store your data. Furthermore, invocation of the KMS API to generate the data key and decrypt the data key also occur on the Appian Cloud environments that store your data.

Below is the process of data key generation. As shown in the diagram, upon the migration to a Bring Your Own Key setup, Appian will programmatically generate this data key and subsequently store the encrypted copy in a secure credential store within Appian Cloud.

After the data for your Cloud environment instance(s) has been encrypted, we will decrypt the data on each subsequent startup of your environment.This process is show below:

Steps

Steps	Description	Organizational Role
Create a support case	Open a support case with Appian Support to enable Bring Your Own Key. Include the following information: Configuration option: AWS KMS	Your Business Relationship Owner
Generate policy statement	Appian Support will create an IAM User within Appian Cloud that will be used exclusively with your Appian environment. Your technical support contact will provide you with the KMS Key Policy Statement that will need to be added to your created KMS CMK (next step).	Appian Support
Creation of the KMS CMK	Once your Advanced or Enterprise support contact has provided a key policy statement, you are set to create the KMS Customer Master Key that will be used with your environment. Engage your AWS Administrator to create this key and add the provided key policy statement to it. You may reference AWS documentation on how to create a CMK and add this policy statement to it. Below are the constraints for the CMK: Must be Symmetric Must be created in the same AWS region as your Appian Cloud Environment The Key Policy statement will give us permission to utilize your key in order to generate data keys and run decryption operations. Once the CMK has been created, please post the Amazon Resource Number (ARN) into the Appian Cloud Support Case.	Your AWS Administrator

F.A.Q.

How can I enable BYOK on my environments?

Please follow the prerequisites listed above. Contact Appian Technical Support with any questions.

Can BYOK be used on existing environments?

Yes, BYOK can be configured on existing environments. All data from the existing environment will need to be moved to a new disk that will be encrypted with the new encryption key. Consequently, this requires close coordination with Appian Technical Support during the transition.

Does Appian keep a copy of your encryption key?

Appian Cloud will only store the encrypted Data Encryption Key. If Appian is unable to unwrap/decrypt the Data Encryption Key, Appian won’t be able to decrypt the disk storing your data and the environment will be unavailable.

What happens if the key is lost?

If the key is lost, all the data, including all backups, would be unrecoverable.

Does Appian request decryption of the data key(s) for every read/write operations?

No, decryption of Data Encryption Key(s) is not necessary after the disk is open, which occurs on each startup of your environment. The decrypted Data Encryption Key will remain present in kernel memory for read and write operations.

Is key rotation supported?

Use of Amazon's built-in automatic CMK key rotation is supported for the AWS KMS configuration only. This type of rotation maintains access to the old key for decryption regardless of the rotation of the underlying material, and also maintains the same key metadata. Manual key rotation is not supported.

Feedback