Amateur Question... We've written a SaaS application that runs in Google Cloud on a GCP-managed MySQL database. We now need to make our application PCI and / or HIPAA compliant. I know we need to specify our own encryption key and keep it off the DB server but I'm wondering how deeply we need to encrypt in order to be compliant...
COLUMN LEVEL? We could encrypt every column at the column level. This would, however, require a lot of code changes in which our code would have to encrypt or decrypt every column on every call. Also, I suspect, there will be some unexpected consequences with indexing, etc.
DATABASE LEVEL? GCP has an option for us to set our own keys and those keys would cover the entire DB. Thus, we're covered at rest.
I believe the data is encrypted when transmitted (e.g. we only use HTTPS for our UI). We also require SSL for external access to the DB.
Encrypting at the DB level would be way easier to implement and maintain but, would this be considered compliant?
Also, with DB level encryption, when is that DB decrypted? Does each DB call decrypt just what it needs or is the entire DB decrypted when a connection is made to it?
Thanks for your help!
