Skip to main content

Data Encryption and Protection

NopeSight v3 implements comprehensive encryption and data protection measures to ensure your infrastructure data, network discovery information, and configuration items remain secure throughout their entire lifecycle. This document explains the encryption technologies and security controls that protect your data.

Overview

NopeSight employs multiple layers of encryption to protect data:

  • Encryption at Rest: All stored data is encrypted using industry-standard algorithms
  • Encryption in Transit: All data transmission uses TLS/SSL encryption
  • Application-Level Encryption: Sensitive fields receive additional encryption layers
  • Key Management: Secure key storage and rotation using AWS services

Encryption at Rest

Data Storage Details

For complete information about data storage location, encryption key management, and access controls, see Data Storage and Access Control.

Database Encryption

MongoDB Atlas Encryption

NopeSight uses MongoDB Atlas with comprehensive encryption at rest:

Storage-Level Encryption:

  • Algorithm: AES-256-GCM encryption for all data files
  • Key Management: MongoDB Atlas manages encryption keys using AWS Key Management Service (KMS)
  • Region: EU-Central-1 (Frankfurt, Germany)
  • Scope: Encrypts all data files, including:
    • Configuration Items (CIs)
    • Scan data and discovery results
    • User authentication data
    • AI analysis results
    • Event logs and audit trails

Benefits for Customers:

  • Zero configuration required - encryption is enabled by default
  • Automatic key rotation managed by MongoDB Atlas
  • Compliance with SOX, HIPAA, and PCI-DSS encryption requirements
  • Protection against physical media theft or unauthorized access
  • EU data residency for GDPR compliance

For detailed information about encryption keys, key hierarchy, and who can access your data, see Data Storage and Access Control.

Backup Encryption

All database backups are encrypted:

Automated Backups:

  • Encryption: AES-256 encryption applied to all backup files
  • Storage: Encrypted backups stored in AWS S3 with server-side encryption
  • Retention: Encrypted backups retained for 30 days
  • Key Management: Backup encryption keys managed through AWS KMS

Point-in-Time Recovery:

  • All recovery snapshots are encrypted using the same standards
  • Recovery operations maintain encryption integrity
  • No data is exposed in plaintext during recovery processes

File System Encryption

AWS EBS Volume Encryption

Production deployments use encrypted EBS volumes:

Storage Encryption:

  • Algorithm: AES-256 encryption for all EBS volumes
  • Key Management: AWS KMS manages encryption keys with automatic rotation
  • Performance: Minimal performance impact (less than 5% overhead)
  • Scope: Encrypts all application data, logs, and temporary files

Log File Encryption:

  • Application logs stored on encrypted file systems
  • Log rotation maintains encryption standards
  • Archived logs remain encrypted in long-term storage

Application Data Encryption

Sensitive Field Encryption

Critical data fields receive additional application-level encryption:

Encrypted Data Types:

  • User authentication credentials
  • Discovery agent API tokens
  • Third-party integration secrets
  • AI service API keys
  • SNMP community strings
  • SSH private keys and passwords

Encryption Details:

  • Algorithm: AES-256-GCM for authenticated encryption
  • Key Derivation: PBKDF2 with SHA-256 and 10,000 iterations
  • Salt Generation: Cryptographically secure random salts for each field
  • Storage: Encrypted values stored as base64-encoded strings

Encryption in Transit

HTTPS/TLS Encryption

Web Application Security

All web communications use strong TLS encryption:

TLS Configuration:

  • Minimum Version: TLS 1.2 (TLS 1.3 preferred)
  • Cipher Suites: Only strong cipher suites enabled
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES128-GCM-SHA256
    • DHE-RSA-AES256-GCM-SHA384
  • Certificate Authority: Enterprise-grade SSL certificates
  • Perfect Forward Secrecy: Enabled for all connections

HTTP Security Headers: NopeSight automatically configures essential security headers including Strict Transport Security, Content Security Policy, and protection against common web vulnerabilities.

API Security

REST API endpoints enforce encryption:

API Encryption:

  • All API calls require HTTPS
  • HTTP requests automatically redirected to HTTPS
  • API tokens transmitted only over encrypted connections
  • Response data encrypted during transmission

Database Connection Encryption

MongoDB Atlas Connection Security

Database connections use TLS encryption:

Connection Encryption:

  • Protocol: TLS 1.2/1.3 for all database connections
  • Certificate Validation: Server certificate validation enforced
  • Authentication: SCRAM-SHA-256 authentication over encrypted channels
  • Connection String: SSL parameters enforced in connection configuration

Secure Connection Configuration: All database connections are automatically configured with SSL/TLS encryption, certificate validation, and secure authentication protocols.

Inter-Service Communication

AWS Service Communication

Communications with AWS services use native encryption:

AWS Bedrock (AI Services):

  • All API calls use HTTPS with AWS SigV4 authentication
  • Request and response payloads encrypted in transit
  • Regional endpoints ensure data locality compliance

AWS Secrets Manager:

  • Secret retrieval uses HTTPS with IAM authentication
  • Secrets transmitted only over encrypted channels
  • Client-side decryption after secure transmission

Redis Communication:

  • Redis connections can be configured with TLS encryption
  • Authentication tokens transmitted over encrypted channels
  • Cluster communication secured in production deployments

Application-Level Security Features

Authentication Security

Password Protection

User passwords receive multi-layer protection:

Password Hashing:

  • Algorithm: bcrypt with adaptive cost factor (currently 12 rounds)
  • Salt: Unique salt generated for each password
  • Storage: Only hashed values stored, never plaintext passwords
  • Resistance: Protection against rainbow table and brute-force attacks

Two-Factor Authentication (2FA)

2FA implementation uses encrypted secret storage:

TOTP Secret Encryption:

  • Algorithm: AES-256-GCM encryption for TOTP secrets
  • Key Derivation: User-specific encryption keys derived from master key
  • Storage: Encrypted secrets stored in database
  • Backup Codes: Hashed using bcrypt before storage

Session Security

JWT Token Security

JSON Web Tokens implement strong security measures:

Token Configuration:

  • Algorithm: HMAC-SHA256 for token signing
  • Secret Key: 256-bit randomly generated secret stored in AWS Secrets Manager
  • Expiration: 24-hour token lifetime to limit exposure
  • Claims: Minimal user information included in token payload

Token Transmission:

  • Tokens transmitted only over HTTPS
  • Secure HTTP-only cookies for web sessions
  • Authorization headers for API access

Discovery Agent Security

Agent Communication

Discovery agents use secure communication protocols:

API Token Authentication:

  • Generation: Cryptographically secure random tokens (256-bit)
  • Storage: Tokens hashed before database storage
  • Transmission: Tokens sent over HTTPS only
  • Rotation: Regular token rotation capability

Scan Data Encryption:

  • Discovery data encrypted during transmission
  • Large scan payloads use compression with encryption
  • Agent authentication verified before data processing

Compliance and Standards

Regulatory Compliance

SOX Compliance (Sarbanes-Oxley)

Encryption features support SOX compliance requirements:

Access Controls:

  • Encryption keys protect financial system access credentials
  • Multi-factor authentication prevents unauthorized access
  • Audit trails encrypted to prevent tampering
  • Privileged user activity monitoring with encrypted logs

HIPAA Compliance (Healthcare)

Healthcare organizations benefit from HIPAA-aligned encryption:

Protected Health Information (PHI):

  • All data encrypted at rest and in transit
  • Access controls prevent unauthorized PHI access
  • Audit logging with encryption integrity
  • Breach notification capabilities

PCI-DSS Compliance (Payment Cards)

Payment card industry requirements addressed:

Cardholder Data Protection:

  • Strong cryptography (AES-256) for data protection
  • Secure key management practices
  • Network transmission encryption
  • Regular security testing and monitoring

Industry Standards

Encryption Standards

NopeSight implements recognized encryption standards:

NIST Compliance:

  • AES-256 encryption algorithms (FIPS 140-2 approved)
  • Key management following NIST SP 800-57 guidelines
  • Cryptographic module standards compliance

ISO 27001 Alignment:

  • Information security management controls
  • Encryption as part of information security framework
  • Risk management with cryptographic controls

Key Management

AWS Key Management Service (KMS)

Encryption Key Hierarchy

NopeSight uses a structured key management approach:

Master Keys:

  • Customer Master Keys (CMK): AWS KMS manages root encryption keys
  • Data Encryption Keys (DEK): Generated for specific encryption operations
  • Key Rotation: Automatic annual rotation of customer master keys
  • Regional Storage: Keys stored in the same AWS region as data

Key Access Controls

Strict access controls govern key usage:

IAM Policies:

  • Principle of least privilege for key access
  • Role-based access to encryption keys
  • Audit logging for all key operations
  • Multi-factor authentication for key administrative operations

Application Key Management

Secret Storage

Application secrets use secure storage:

AWS Secrets Manager:

  • Encryption keys and sensitive configuration stored securely
  • Automatic rotation capabilities for supported secret types
  • IAM-based access controls
  • Audit logging for secret access

Environment Variable Security:

  • Sensitive values loaded from AWS Secrets Manager at runtime
  • No hardcoded secrets in application code or configuration files
  • Container environments use secure secret injection

Monitoring and Auditing

Encryption Monitoring

Key Usage Auditing

All encryption key usage is monitored:

AWS CloudTrail Integration:

  • All KMS key operations logged
  • Secret Manager access logged
  • API calls for encryption services tracked
  • Anomaly detection for unusual key usage patterns

Application Audit Logs:

  • Encryption/decryption operations logged
  • Failed authentication attempts with encryption details
  • Key rotation events tracked
  • Performance metrics for encryption operations

Security Event Monitoring

Threat Detection

Encryption-related security events are monitored:

Anomaly Detection:

  • Unusual encryption key access patterns
  • Failed decryption attempts
  • Suspicious authentication activity
  • Potential key compromise indicators

Alerting:

  • Real-time alerts for encryption failures
  • Key usage anomaly notifications
  • Certificate expiration warnings
  • Security event correlation with encryption context

Performance Considerations

Encryption Performance

Impact Assessment

Encryption implementation considers performance:

Database Performance:

  • MongoDB Atlas encryption: less than 2% performance impact
  • Query performance maintained with encrypted indexes
  • Backup operations optimized for encrypted data

Application Performance:

  • Field-level encryption: less than 1ms overhead per operation
  • TLS termination optimized at load balancer level
  • Caching strategies account for encryption overhead

Network Performance:

  • TLS encryption: less than 5% bandwidth overhead
  • Compression used with encryption for large payloads
  • Connection pooling optimized for encrypted connections

Disaster Recovery and Encryption

Encrypted Backup Strategy

Backup Encryption

Disaster recovery maintains encryption integrity:

Backup Encryption:

  • All backups encrypted with same standards as production data
  • Encryption keys backed up separately from data
  • Cross-region backup replication maintains encryption
  • Recovery procedures include encryption validation

Recovery Testing:

  • Regular recovery tests verify encryption integrity
  • Key recovery procedures tested quarterly
  • End-to-end encryption validation during recovery
  • Documentation updated based on recovery test results

Customer Benefits

Security Assurance

Data Protection Guarantees

Customers receive comprehensive data protection:

Zero-Configuration Security:

  • Encryption enabled by default for all customers
  • No additional setup required for basic encryption
  • Automatic security updates and patches
  • Transparent encryption key management

Compliance Support:

  • Built-in compliance with major regulatory frameworks
  • Audit documentation available for compliance reviews
  • Security certifications and attestations provided
  • Regular security assessments and updates

Business Benefits

Risk Mitigation:

  • Protection against data breaches and unauthorized access
  • Reduced compliance burden with built-in encryption
  • Insurance and liability benefits from strong security posture
  • Customer trust through demonstrated security commitment

Operational Efficiency:

  • No performance degradation from security measures
  • Simplified security management with automated encryption
  • Reduced IT overhead for security implementation
  • Focus on core business while security is handled transparently

Security Commitment: NopeSight is committed to providing enterprise-grade encryption and data protection. All encryption implementations are regularly reviewed and updated to maintain the highest security standards and compliance requirements.