0

I have .NET Core Web API microservices with MS SQL and elastic search(NoSql). I want to encrypt PII(Personal Identifiable Information) both in Elasticsearch and MS SQL database. Which is better option to use .NET data protection API or always encrypted?.

If I use always encrypted then it will only work with MS SQL. Elastic search + logging will require handling it separately so is it better to encrypt in API using data protection API?.

Documents say that data protection API is only meant for temporary data. Is there any other better way to protect data other than above too?

Any common pattern or strategy for this?

jaspreet chahal
  • 8,817
  • 2
  • 11
  • 29

1 Answers1

0

Depending on your company's industry and internal policy, you might be required to encrypt data AT REST as well as IN MOTION.

Logging PII should be strictly banned. Only log account's internal IDs that can not identify a user, dont log usernames/userids, just account id. Do not log account numbers etc.

As an alternate to elastic search, you could break down the PII data points in to multiple systems to avoid any one system's compromise leading to PII leak.

ullfindsmit
  • 279
  • 1
  • 5
  • 20