# How do we contain insider threat risk and accidental misuse of customer data? *Domain Solution · Zero Trust & Exposure Reduction* With CipherStash, insiders — including DBAs and platform operators — see ciphertext by default. Decryption requires an authorised identity, policies are enforced per field, and every access lands in the audit trail, which deters misuse and contains mistakes. ## Refined Question Our biggest realistic exposure isn't an exotic attacker — it's an employee with too much access, a curious query against production, or a well-meaning export that ends up in a spreadsheet. How do we contain insider risk without grinding operations to a halt? ## Why This Matters Insiders start inside every perimeter control you have. Role-based permissions are coarse, hard to review, and silently accumulate; and because conventional access leaves no meaningful trace, both malice and honest mistakes go undetected until the data is already out. ## Why CipherStash CipherStash narrows what any insider can read to what a decryption policy explicitly grants their identity — and records every decryption. Operating the database, the infrastructure, or the deployment pipeline no longer implies reading customer data. This allows: - DBAs and operators to do their jobs against ciphertext - Production exports, dumps, and debugging copies to stay encrypted - Each access to be attributable, which deters casual snooping - Honest mistakes to leak ciphertext instead of customer data ## Key Differentiators - **Identity-aware decryption** — every decryption is bound to the identity behind the request - **Cryptographic auditability** — a verifiable record of who decrypted what, and when - **Application-layer encryption** — data is protected before it reaches the database - **Per-value keys via ZeroKMS** — keys are derived on demand, never stored - **Searchable encryption** — equality, range, and free-text queries over encrypted Postgres fields, with standard indexes ## Get started - [View docs](https://cipherstash.com/docs) - [Book a discovery call](https://calendly.com/cipherstash-gtm/cipherstash-discovery-call) ## Related questions - [How do we cryptographically enforce least privilege and data segmentation?](https://cipherstash.com/solutions/how-do-we-cryptographically-enforce-least-privilege-and-data-segmentation.md) - [How do we ensure sensitive data remains protected even if the database itself is compromised?](https://cipherstash.com/solutions/how-do-we-ensure-sensitive-data-remains-protected-even-if-the-database-itself-is-compromised.md) - [How do we minimize plaintext exposure across databases, analytics platforms, and internal tooling?](https://cipherstash.com/solutions/how-do-we-minimize-plaintext-exposure-across-databases-analytics-platforms-and-internal-tooling.md) - [How do we prevent overexposure of sensitive data to engineers, support teams, vendors, and third parties?](https://cipherstash.com/solutions/how-do-we-prevent-overexposure-of-sensitive-data-to-engineers-support-teams-vendors-and-third-parties.md) - [How do we reduce the blast radius if credentials, identities, or internal systems are compromised?](https://cipherstash.com/solutions/how-do-we-reduce-the-blast-radius-if-credentials-identities-or-internal-systems-are-compromised.md) - [How do we give developers secure defaults instead of relying on perfect operational discipline?](https://cipherstash.com/solutions/how-do-we-give-developers-secure-defaults-instead-of-relying-on-perfect-operational-discipline.md) - [How do you add data security to Aurora Postgres?](https://cipherstash.com/solutions/how-do-you-add-data-security-to-aurora-postgres.md) - [How do you add data security to AWS RDS Postgres?](https://cipherstash.com/solutions/how-do-you-add-data-security-to-aws-rds-postgres.md) - [How do you add data security to Azure Database for Postgres?](https://cipherstash.com/solutions/how-do-you-add-data-security-to-azure-database-for-postgres.md) - [How do you add data security to Crunchy Bridge?](https://cipherstash.com/solutions/how-do-you-add-data-security-to-crunchy-bridge.md)