This section contains some best practices to follow when using BYOK.
- Identify or create a workspace that does not contain any essential model data.
- Encrypt the workspace to practice using BYOK.
- After successfully encrypting the workspace:
- Run the tests on models in the workspace that you want
- Follow the same procedure to encrypt your production workspace.
- If required, decrypt the development workspace.
Ensure Workspaces are not in use
Workspaces can't be encrypted when they are active. Ensure that your users are no longer using any models in the workspace before starting encryption. Do not start encryption until the workspace state is Ready.
Encrypting before loading data
The first encryption is known as encryption in place, and is an offline event. To reduce the amount of time for this encryption, we recommend encrypting a workspace when it’s first created or before significant data is loaded. Data added to models within the workspace after encryption is automatically encrypted. This is known as encryption on the fly. It's likely that this is sensitive data and it's more secure to load it after the workspace is encrypted.
Identify users for key roles
Identify users to be assigned the Encryption Admins role as early as possible.
Identify users to be assigned the Tenant Auditor role.
Encryption Admin role
To maintain separation of duties, encryption admins should not have access to any model data.
- Ensure that encryption admins are added as members of at least one workspace with a model permission of No Access.
- Let your account representative know the email addresses of the encryption admins when you first order BYOK.
- Ideally, assign more than one person the encryption admin role.
- Encryption Admin users can assign other users in their tenant the Encryption Admin role or remove it using the Access Control feature of the Administration app. See Assign Encryption Administrators.
Tenant Auditor role
The Tenant Auditor role can access the BYOK audit logs. You can choose to specify different users to the ones assigned the Encryption Admin role, and your Tenant Administrator can assign users to this role. Tenant Auditors need to be a user in at least one Anaplan workspace, ideally with a model permission of No Access.
When the BYOK status changes following a successful encryption or decryption action in a workspace, wait two minutes before running another operation on that workspace. This enables trailing processes to complete and helps to prevent unexpected errors.