Senior Curriculum Developer
Corporate policies, industry standards, and national and international regulations may all require you to protect the privacy and integrity of the data you handle. Encryption uses mathematical techniques to scramble data so that it is meaningless if observed by someone who lacks the necessary key to decrypt it.
There are two main areas that are crucial to protect from attackers:
Confluent Cloud encrypts your data at rest by default and provides Transport Layer Security (TLS) or TLS 1.2 encryption for your data in motion. In addition to these built-in security features, Confluent Cloud also provides the ability to bring your own key (BYOK) for data at rest, and secure networking options including VPC or VNet peering, AWS PrivateLink and Azure Private Link, AWS Transit Gateway, and Google Cloud Private Service Connect.
For more information on the available secure networking options be sure to check out the Confluent Cloud Networking Course.
BYOK can be a powerful tool for ensuring the security of your data at rest. It addresses three main concerns for organizations:
That said, it’s important to keep in mind that BYOK has some limitations and important considerations:
BYOK will encrypt all the data associated with that cluster, so your tiered storage, ksqlDB, and the like, will be encrypted with BYOK.
Confluent provides BYOK service at no extra cost. You will see a small charge for API access to the cloud provider’s KMS on your AWS or GPC invoice. At the time of publishing, the cost is somewhere around 3 cents US per 10,000 API calls.
You will not see any significant reduction in performance with BYOK-enabled clusters. You will need to make sure that the keys you provide to Confluent Cloud are symmetric; asymmetric keys won’t work.
We will only share developer content and updates, including notifications when new content is added. We will never send you sales emails. 🙂 By subscribing, you understand we will process your personal information in accordance with our Privacy Statement.