This section contains some best practices to follow for Bring Your Own Key (BYOK).
This section contains some best practices to follow for Bring Your Own Key (BYOK).
Workspaces can't be encrypted when they are active. Ensure that your users are no longer using any models in the workspace before starting encryption. Do not start encryption until the workspace state is Ready.
The first encryption is known as encryption in place, and is an offline event. To reduce the amount of time for this encryption, we recommend you encrypt a workspace when it’s first created or before significant data is loaded. Data added to models within the workspace after encryption is automatically encrypted. This is known as encryption on the fly. It's likely that this is sensitive data and it's more secure to load it after the workspace is encrypted.
Identify users to be assigned the Encryption Administrator role as early as possible.
Identify users to be assigned the Tenant Auditor role.
To maintain separation of duties, encryption administrators should not have access to any model data.
Note: Only a limited set of users are eligible to be assigned the Encryption Administrator role. Only users who were submitted to Anaplan as potential Encryption Administrators appear in Access Control in Administration. If any users are missing, add them to the workspace in your tenant with the role No Access then contact Anaplan Support and request that those users are added to the list of eligible Encryption Administrators.
The Tenant Auditor role can access the BYOK audit logs. You can choose to specify different users to the ones assigned the Encryption Administrator role, and your Tenant Administrator can assign users to this role. Tenant Auditors need to be a user in at least one Anaplan workspace, ideally with a model permission of No Access.
When the BYOK status changes following a successful encryption or decryption action in a workspace, wait two minutes before running another operation on that workspace. This enables trailing processes to complete and helps to prevent unexpected errors.
Disclaimer
We update Anapedia content regularly to provide the most up-to-date instructions.