Data & Storage / Encryption & Tokenization
FR EN

Data & Storage

Encryption & Tokenization

Encryption and tokenization: protect data at rest, in transit and in use.

Plane
Data & Storage
Flow steps
8
Frameworks
NIST 800-53 · NIST AI 600-1

Technology

Why use it

Make data unreadable outside the authorized context, and replace sensitive data with tokens reversible only by entitled parties.

Why it matters to security

Reduces breach impact: encrypted or tokenized data, if exfiltrated, stays unusable.

Implementations AES-256KMS envelopeVault TransitPII tokenization (Skyflow, Protegrity)

Assume the leak: encrypt so stolen data stays silent.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline
  • Encryption at rest and in transit.
    NIST 800-53 SC-28 · SC-8
    Stored and moving data protected by default.
  • Centralized key management (KMS).
    NIST 800-53 SC-12
    Keys don’t linger in code or configuration.
  • Proven algorithms (AES-256, TLS 1.2+).
    NIST 800-53 SC-13
    Rely on validated cryptography, not home-grown.

Enterprise

Enterprise standard
  • Tokenization of personal data (PII).
    NIST 800-53 SC-28
    The system handles tokens, not the real data.
  • Scheduled key rotation.
    NIST 800-53 SC-12
    Rotation limits the reach of a compromised key.
  • Key separation per domain / tenant.
    NIST 800-53 SC-12 · SC-4
    One compromised key does not open everything.

Advanced

High-assurance / regulated
  • Encryption in use (enclaves / protected memory).
    NIST 800-53 SC-28(1)
    Data stays protected even during processing.
  • HSM for critical keys.
    NIST 800-53 SC-12 · SC-13
    Root keys never leave the hardware.
  • Detokenization subject to authorization (PDP).
    NIST 800-53 AC-24
    Revealing the real data is a logged policy decision.

Architecture notes

  • Encryption protects; key management decides.details ▸
    A poorly kept key voids all the encryption.
    Invest in KMS/HSM, rotation and key separation as much as in the algorithm.

References

NIST SP 800-53 Rev5
SC-28 (At Rest), SC-8 (Transmission), SC-12 (Key Mgmt), SC-13 (Crypto Protection), SC-4, AC-24.
NIST AI 600-1
Data confidentiality in generative-AI systems.

Abbreviations

PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone