Lineup Security
Data Encryption
Data encryption in transit is handled via our Amazon Web Services Certificate Manager TLS Certificate. We are using the most recent certificate policy ELBSecurityPolicy-TLS-1-2-2017-01 (https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) which only allows TLSv1.2 protocol requests. The load balancer uses the ciphers in the order that they are specified in the table to negotiate connections between the client and load balancer. Otherwise, the load balancer uses the ciphers in the order that they are presented by the client, excluding unsupported ciphers.
AWS Relational Database Service
Our AWS Relational Database Service (RDS) database is encrypted at rest via an AWS Key Management Service (KMS) symmetric customer master key (CMK). The encryption algorithm for symmetric CMKs is also known as SYMMETRIC_DEFAULT. Currently, this represents a symmetric algorithm based on Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) with 256-bit keys, an industry standard for secure encryption. The ciphertext that this algorithm generates supports additional authenticated data (AAD), such as an encryption context, and GCM provides an additional integrity check on the ciphertext. For technical details, see the AWS Key Management Service Cryptographic Details whitepaper (https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf).
Data Protection
Data encrypted under AES-256-GCM is protected now and in the future. Cryptographers consider this algorithm to be quantum resistant. Theoretical future, large-scale quantum computing attacks on ciphertexts created under 256-bit AES-GCM keys reduce the effective security of the key to 128 bits. But, this security level is sufficient to make brute force attacks on AWS KMS ciphertexts infeasible.
Application Documents Storage
Application documents are stored in AWS Simple Storage Service (S3) and is encrypted at rest. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt data, 256-bit Advanced Encryption Standard (AES-256).