Data Mesh Governance / Policies / Security
Encryption at rest
Platform: Azure Databricks
Our threat model is defined here [add link to your internal threat model].
Analytical data may contain sensitive data that needs to be protected from attackers.
We store analytical domain data and data products only on Storage Accounts (that have data at rest enabled by default).
We use Microsoft-managed encryption keys (MMK).
- Data on disk is encrypted with AES-256.
- Read and write performance may be decreased
- Encryption and decryption is transparently handled by platform, no negative effects on developer experience
- Customer-managed keys (CMK) for Azure storage accounts
- Application level encryption for every data product with custom encryption keys
- No encryption at rest for noncritical data.
- Data platform guarantees encryption at rest
- Nothing to be done, encryption-at-rest is enabled in all Azure Storage Accounts by default