Topic 2: Data Protection and Secrets Management
⏱️ Estimated time: 2-3 days
Data is the most valuable asset in your cloud environment. Before you secure your Journal API's data, you need to understand encryption, key management, and secrets management fundamentals.
📚 Learning Path
Learning Objectives
By the end of this topic, you will understand:
- Encryption at rest vs encryption in transit
- Symmetric vs asymmetric encryption
- Key management best practices
- Secrets management and why it matters
- Data classification and sensitivity levels
- Common data security mistakes and how to avoid them
Core Learning Resources
1. Read: Encryption Fundamentals
Start with these foundational resources:
- Encryption at Rest vs In Transit - Google Cloud guide
- AWS Key Management Service Concepts
- Azure Key Vault Overview
2. Watch: Data Protection in the Cloud
- Encryption in the Cloud Explained (20 minutes)
- AWS KMS Deep Dive (45 minutes)
- Secrets Management Best Practices (30 minutes)
3. Learn: Data Security Best Practices
- OWASP Top 10 for APIs - Focus on data exposure issues
- NIST Cybersecurity Framework - Protect
Key Concepts to Master
Encryption Types
Encryption at Rest:
- Protects data stored in databases, file systems, or object storage
- Uses symmetric encryption (same key for encrypt/decrypt)
- Managed by cloud providers automatically in most cases
Encryption in Transit:
- Protects data moving between systems (API calls, database connections)
- Uses TLS/SSL protocols
- Essential for any web application
Key Management
Customer-Managed Keys vs Provider-Managed Keys:
- Provider-managed: Cloud provider handles all key operations (easier)
- Customer-managed: You control key rotation, access policies (more control)
Key Rotation:
- Regularly changing encryption keys to limit exposure
- Can be automated by cloud key management services
- Critical for long-term security
Secrets Management
What Are Secrets:
- Database passwords
- API keys
- Certificates
- OAuth tokens
- Any sensitive configuration data
Why Secrets Management Matters:
- Prevents hardcoding credentials in code
- Enables automatic rotation
- Provides audit trails of secret access
- Centralizes sensitive configuration
Data Classification
Public: No risk if disclosed (marketing materials) Internal: Low risk if disclosed (internal documentation) Confidential: Moderate risk if disclosed (customer data) Restricted: High risk if disclosed (payment information, personal data)
🧪 Test Your Knowledge
Use an AI assistant to test your understanding. Here are example prompts:
- "Quiz me on the difference between encryption at rest and encryption in transit"
- "Ask me to explain symmetric vs asymmetric encryption with examples"
- "Test my knowledge of when to use customer-managed vs provider-managed keys"
- "Quiz me on secrets management best practices"
- "Ask me about data classification levels and how to apply them"
- "Test my understanding of key rotation and why it's important"
- "Quiz me on common data security mistakes in cloud applications"
- "Ask me about the difference between hashing and encryption"
Additional Resources (Optional)
Cloud Provider Documentation
Security Tools and Services
- AWS Secrets Manager
- Azure Key Vault
- Google Secret Manager
- HashiCorp Vault (open source option)
Practice Resources
- CryptoHack - Learn cryptography through challenges
- Over The Wire - Cryptography wargames
Next Steps
Once you feel confident with data protection concepts, move on to Topic 3.
✅ Topic Checklist
Before moving on, make sure you have:
- Understood encryption at rest vs in transit
- Learned symmetric vs asymmetric encryption
- Understood key management best practices
- Learned secrets management fundamentals
- Understood data classification levels
- Reviewed cloud provider encryption documentation