When integrating new technologies into an enterprise environment, ensuring data security is paramount. Akumina's platform is designed with a layered security approach, emphasizing encryption, identity management, and trusted cloud infrastructure to safeguard business information.
Akumina leverages Azure Storage Service Encryption (SSE) to protect data at rest within Azure datacenters. This encryption occurs automatically as data is written and is seamlessly decrypted during access. Encryption can be configured via:
Microsoft-managed keys: Enabled by default and managed by Azure, this option a simple and fully automated encryption solution.
Customer (Akumina)-managed keys in Azure Key Vault: Offers greater control, allowing customers to manage key rotation and access policies. This option does not allow Akumina customers to bring their own key to encrypt any portion of the Akumina Cloud (Akumina SaaS storage platform), the key is managed by Akumina for all storage data within the cloud.
Customer-managed keys on customer-controlled hardware (HSM): Provides the highest level of control, with keys stored in customer-owned hardware security modules. This option is only supported in Akumina configured single-tenant environments or self-hosted environments. Customers can manage these configurations directly via the Azure portal or programmatically through Azure APIs.
Akumina ensures the secure transmission of data by configuring all in-transit communications to use Transport Layer Security (TLS) version 1.2 or higher. This includes communications between the Akumina AppManager, Service Hub, and any integrated services such as Microsoft Graph or third-party APIs. By enforcing TLS 1.2 or above, Akumina protects data against eavesdropping, tampering, and message forgery, aligning with modern enterprise security standards and compliance requirements.
For client-side data encryption, Akumina uses industry-standard algorithms such as AES-256 to protect data before it is transmitted to Azure Storage. This encryption applies specifically to sensitive information, including session-related data such as access tokens or authentication artifacts. By encrypting these elements on the client side, Akumina adds an additional layer of security that ensures only authorized users and systems can access critical information, even before it reaches the storage layer.
Akumina supports combining client-side and server-side encryption. This layered approach ensures data remains encrypted during transit, storage, and access. However, administrators should consider the potential performance overhead associated with encryption operations when designing their security configurations. The following diagram illustrates how these encryptions are combined
For detailed guidance on configuring customer-managed keys for Azure Storage, and Azure Cosmos DB encryption, please refer to the official Microsoft documentation:
Customer-managed keys for Azure Storage encryption: https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview
Customer-managed keys for Azure Cosmos DB: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-customer-managed-keys