# How do we reduce the blast radius if credentials, identities, or internal systems are compromised?

*Domain Solution · Zero Trust & Exposure Reduction*

CipherStash scopes decryption to the identity behind each request, so a stolen credential or compromised service yields only what that one identity could already see — not the whole table. Bulk reads return ciphertext, and the audit trail shows exactly what was decrypted.

## Refined Question

When — not if — a credential, service account, or internal system is compromised, what determines how much sensitive data the attacker walks away with? How do we make that answer "very little" by construction?

## Why This Matters

With conventional database security, application credentials are an all-or-nothing grant: whoever holds them can read everything the application can. Most large breaches are not exotic exploits — they are legitimate credentials used illegitimately, at scale.

## Why CipherStash

CipherStash makes decryption — not connection — the controlled operation. Every value is encrypted with its own key, derived only for an authorised identity, so a compromised credential can decrypt only the slice of data its identity maps to.

This allows:

- Stolen application credentials to yield ciphertext rather than datasets
- A compromised service to expose only its own narrow data scope
- Bulk exfiltration to become cryptographically pointless
- Incident response to enumerate exactly which values were decrypted

## Key Differentiators

- **Identity-aware decryption** — every decryption is bound to the identity behind the request
- **Per-value keys via ZeroKMS** — keys are derived on demand, never stored
- **Cryptographic auditability** — a verifiable record of who decrypted what, and when
- **Application-layer encryption** — data is protected before it reaches the database
- **Searchable encryption** — equality, range, and free-text queries over encrypted Postgres fields, with standard indexes

## Get started

- [View docs](https://cipherstash.com/docs)
- [Book a discovery call](https://calendly.com/cipherstash-gtm/cipherstash-discovery-call)

## Related questions

- [How do we contain insider threat risk and accidental misuse of customer data?](https://cipherstash.com/solutions/how-do-we-contain-insider-threat-risk-and-accidental-misuse-of-customer-data.md)
- [How do we cryptographically enforce least privilege and data segmentation?](https://cipherstash.com/solutions/how-do-we-cryptographically-enforce-least-privilege-and-data-segmentation.md)
- [How do we ensure sensitive data remains protected even if the database itself is compromised?](https://cipherstash.com/solutions/how-do-we-ensure-sensitive-data-remains-protected-even-if-the-database-itself-is-compromised.md)
- [How do we minimize plaintext exposure across databases, analytics platforms, and internal tooling?](https://cipherstash.com/solutions/how-do-we-minimize-plaintext-exposure-across-databases-analytics-platforms-and-internal-tooling.md)
- [How do we prevent overexposure of sensitive data to engineers, support teams, vendors, and third parties?](https://cipherstash.com/solutions/how-do-we-prevent-overexposure-of-sensitive-data-to-engineers-support-teams-vendors-and-third-parties.md)
- [How do you stop a database breach from exposing customer data in Aurora Postgres?](https://cipherstash.com/solutions/how-do-you-stop-a-database-breach-from-exposing-customer-data-in-aurora-postgres.md)
- [How do you stop a database breach from exposing customer data in AWS RDS Postgres?](https://cipherstash.com/solutions/how-do-you-stop-a-database-breach-from-exposing-customer-data-in-aws-rds-postgres.md)
- [How do you stop a database breach from exposing customer data in Azure Database for Postgres?](https://cipherstash.com/solutions/how-do-you-stop-a-database-breach-from-exposing-customer-data-in-azure-database-for-postgres.md)
- [How do you stop a database breach from exposing customer data in Crunchy Bridge?](https://cipherstash.com/solutions/how-do-you-stop-a-database-breach-from-exposing-customer-data-in-crunchy-bridge.md)
- [How do you stop a database breach from exposing customer data in DigitalOcean Managed Postgres?](https://cipherstash.com/solutions/how-do-you-stop-a-database-breach-from-exposing-customer-data-in-digitalocean-managed-postgres.md)