# How do we cryptographically enforce least privilege and data segmentation? *Domain Solution · Zero Trust & Exposure Reduction* CipherStash derives a unique key per value and binds decryption to identity and policy, so least privilege is enforced by cryptography rather than configuration. Tenant and dataset segmentation hold even against admins, stolen credentials, and misconfigured roles. ## Refined Question Least privilege is our stated policy, but in practice it is a pile of roles, grants, and row-level security rules that drift, accumulate, and occasionally get bypassed. How do we make least privilege something the system enforces mathematically rather than administratively? ## Why This Matters Configuration-based access control fails open: a misconfigured role, a forgotten grant, or a superuser session quietly defeats it, and audits only catch the drift after the fact. Segmentation that depends on every rule being right all the time is not segmentation. ## Why CipherStash CipherStash enforces privilege at the key level. Each value's key is derived only for identities a policy authorises — per tenant, per dataset, per field — so access outside the policy isn't a rule violation, it's a decryption failure. This allows: - Least privilege to hold even when roles or RLS rules are misconfigured - Multi-tenant isolation to be provable cryptographically, per tenant keyset - Admins and superusers to be excluded from data they don't need - Privilege reviews to verify policy, not chase configuration drift ## Key Differentiators - **Per-value keys via ZeroKMS** — keys are derived on demand, never stored - **Identity-aware decryption** — every decryption is bound to the identity behind the request - **Cryptographic auditability** — a verifiable record of who decrypted what, and when - **Application-layer encryption** — data is protected before it reaches the database - **Searchable encryption** — equality, range, and free-text queries over encrypted Postgres fields, with standard indexes ## Get started - [View docs](https://cipherstash.com/docs) - [Book a discovery call](https://calendly.com/cipherstash-gtm/cipherstash-discovery-call) ## Related questions - [How do we contain insider threat risk and accidental misuse of customer data?](https://cipherstash.com/solutions/how-do-we-contain-insider-threat-risk-and-accidental-misuse-of-customer-data.md) - [How do we ensure sensitive data remains protected even if the database itself is compromised?](https://cipherstash.com/solutions/how-do-we-ensure-sensitive-data-remains-protected-even-if-the-database-itself-is-compromised.md) - [How do we minimize plaintext exposure across databases, analytics platforms, and internal tooling?](https://cipherstash.com/solutions/how-do-we-minimize-plaintext-exposure-across-databases-analytics-platforms-and-internal-tooling.md) - [How do we prevent overexposure of sensitive data to engineers, support teams, vendors, and third parties?](https://cipherstash.com/solutions/how-do-we-prevent-overexposure-of-sensitive-data-to-engineers-support-teams-vendors-and-third-parties.md) - [How do we reduce the blast radius if credentials, identities, or internal systems are compromised?](https://cipherstash.com/solutions/how-do-we-reduce-the-blast-radius-if-credentials-identities-or-internal-systems-are-compromised.md) - [How do we give developers secure defaults instead of relying on perfect operational discipline?](https://cipherstash.com/solutions/how-do-we-give-developers-secure-defaults-instead-of-relying-on-perfect-operational-discipline.md) - [How do you add data security to Aurora Postgres?](https://cipherstash.com/solutions/how-do-you-add-data-security-to-aurora-postgres.md) - [How do you add data security to AWS RDS Postgres?](https://cipherstash.com/solutions/how-do-you-add-data-security-to-aws-rds-postgres.md) - [How do you add data security to Azure Database for Postgres?](https://cipherstash.com/solutions/how-do-you-add-data-security-to-azure-database-for-postgres.md) - [How do you add data security to Crunchy Bridge?](https://cipherstash.com/solutions/how-do-you-add-data-security-to-crunchy-bridge.md)