How is our data secured and encrypted in Zero-X?

Zero-X employs multiple layers of encryption and security measures to protect your data

Edit Content

Encryption Process

1. Key Generation: Encryption keys are derived from secure environment variables using SHA-256 hashing
2. Initialization Vector (IV): Each encryption operation uses a unique, randomly generated 16-byte IV
3. Authentication Tag: GCM mode provides built-in authentication to detect tampering
4. Storage Format: Encrypted data is stored in the format: IV:encryptedData:authTag

Key Management

1. Production Requirements: Production environments require a secure, hex-encoded 32-byte encryption key
2. Key Storage: Encryption keys are stored separately from encrypted data in secure environment variables
3. Key Rotation: Encryption keys can be rotated following secure procedures
4. Key Access: Encryption keys are only accessible to the application and are never exposed in logs or error messages

Sensitive Data Encryption

1. Algorithm: AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode)
2. What’s Encrypted: All sensitive credentials including:
AWS access keys and secret keys
GCP service account credentials
Azure client IDs and client secrets
GitHub/GitLab/Bitbucket access tokens
Docker Hub credentials
Wazuh API keys and passwords
Database passwords and authentication tokens
Edit Content

TLS/SSL Encryption

1. Protocol: All network communications use TLS 1.2 or higher
2. Certificate Management: Valid SSL/TLS certificates ensure secure connections
3. API Communications: All API requests and responses are encrypted
4. Database Connections: Database connections use encrypted channels
5. Cloud Provider APIs: All communications with cloud provider APIs use HTTPS

Secure Protocols

1. HTTPS: All web traffic is encrypted using HTTPS
2. Secure WebSockets: Real-time communications use secure WebSocket connections (WSS)
3. VPN Support: Support for VPN connections when required
Edit Content

Application-Level Security

1. Input Validation: All user inputs are validated and sanitized
2. Output Encoding: All outputs are properly encoded to prevent injection attacks
3. Session Security: Secure session management with encrypted session tokens
4. Authentication: Strong authentication mechanisms with optional MFA

Database-Level Security

1. Connection Encryption: Database connections are encrypted
2. Query Parameterization: All database queries use parameterized statements
3. Access Controls: Database access is restricted to authorized application components
4. Audit Logging: All database operations are logged for security auditing

Infrastructure Security

1. Network Segmentation: Network-level isolation between components
2. Firewall Rules: Strict firewall rules control network access
3. Intrusion Detection: Monitoring for suspicious network activity
4. DDoS Protection: Protection against distributed denial-of-service attacks
Edit Content

Multi-Tenant Security

1. Organization Isolation: All data is isolated by organization ID at the database level
2. Encryption Per Organization: Each organization’s data is encrypted independently
3. No Cross-Access: Technical safeguards prevent cross-organization data access
4. Secure Deletion: When organizations are deleted, all associated encrypted data is securely purged
Edit Content

Encryption Standards

1. AES-256: Industry-standard encryption algorithm approved for government and enterprise use
2. GCM Mode: Provides both confidentiality and authenticity (integrity protection)
3. FIPS 140-2: Encryption implementation follows FIPS 140-2 guidelines where applicable

Security Best Practices

1. Defense in Depth: Multiple layers of security controls
2. Least Privilege: Minimum necessary access to data
3. Regular Audits: Regular security audits and assessments
4. Incident Response: Comprehensive incident response procedures
Edit Content

Data Access

1. You Control Connections: You decide which data sources to connect
2. You Control Access: You manage user access within your organization
3. You Control Deletion: You can disconnect data sources and request data deletion at any time
4. Transparency: You can view what data is being collected through the dashboard

Encryption Verification

1. Encrypted Storage: All sensitive credentials are stored in encrypted format
2. No Plain Text: Sensitive data is never stored in plain text
3. Secure Transmission: All data transmission uses encrypted channels
4. Audit Trail: All encryption/decryption operations are logged for auditing

Summary

Your data in Zero-X is protected by:

  •  AES-256-GCM encryption for all sensitive data at rest
  •  TLS 1.2+ encryption for all data in transit
  •  Secure key management with separate key storage
  •  Multi-tenant isolation preventing cross-organization access
  •  Industry-standard encryption algorithms and practices
  •  Comprehensive security controls and monitoring