Encryption and firewalls

Infrastructure and Security

Encryption and firewalls

Good security is not a PDF nobody opens: it is encryption where it matters, painless key rotation, and a firewall that blocks what it should without killing checkout on a Friday. Viscale ties crypto and perimeter to what the product actually does — same risk language, same appetite for evidence when someone asks “who changed this?”.

Purposeful encryption, not a generic checklist. TLS from users to apps, between internal services when data deserves it, and at rest on disk or database when law or contract requires it. We explain tradeoffs: client-side crypto costs battery; disk-only may not cover a backup leak — and we decide with you.

What we can deliver

End-to-end TLS for the product

Certificates, HSTS where it fits, mixed content gone.

Encryption at rest for the database

Native KMS or managed keys with clear access policy.

Network segmentation (VPC / subnets)

No public route to the DB, app in private subnet with controlled egress.

WAF at the web edge

OWASP Top 10 rules tuned so legitimate payloads are not blocked.

Site-to-site or client VPN

Office or partner access to only what they need.

Credential and API key rotation

Calendar plus pipeline steps so production keeps running.

Encrypted backups and copies

Encrypted snapshots and policy for who may restore.

OS and base image hardening

Minimal users, patch windows, documented baseline.

Firewall and WAF with auditable rules. Tight security groups, IP lists when it fits, rate limits on login or payment, and documented exceptions (that partner integration that needs port X). No “open everything and we will see later”: every opening has an owner and a review date.

Differentiators your team feels daily. Certificate management with monitored renewal, secret rotation wired into the pipeline, basic dependency scanning, and a short incident playbook (“isolate, preserve logs, communicate”). If you already use HSM, KMS, or Vault, we fit the flow; if not, we start with high-impact moves that do not become an endless project.

Request a quote

Portfolio of Encryption and firewalls

Request a quote

Deliverables

Production configuration

As approved and tested.

Network and data-flow diagram

Readable for product and legal, not only IT.

Encryption matrix

Where it encrypts, algorithm/key, retention.

Firewall/WAF rule list

With rationale and last review date.

Certificate policy

Issuer, renewal, emergency contact.

Secret register (outside Git)

Where keys live and who may rotate.

Regression test report

Critical flows after rule changes.

Short incident playbook

Isolate, preserve evidence, notify stakeholders.

Hardening checklist

Items with owner and next review.

Handoff session

Q&A with the team that runs the environment.

Request a quote

Execution methodology

  1. Sensitive data map

    What is PII, where it moves, where it rests.

  2. Lean threat model

    Assets, attack surface, realistic priorities.

  3. Encryption design

    In transit, at rest, and who owns keys.

  4. Firewalls and security groups

    Minimum necessary rules with justified exceptions.

  5. WAF or edge rules

    When applicable, with learning phase and false positives handled.

  6. Certificate management

    Issuance, renewal, and pre-expiry alerts.

  7. CI/CD integration

    Secrets injected without committing to Git.

  8. Testing and validation

    Critical flows (login, payment, upload) under inspection.

  9. Documentation and evidence

    Diagram, port list, and review owners.

  10. Quick training

    So the team knows where to change settings without opening holes.

Request a quote

Back to areas of practice

Contact

Describe your goal, timeline, and anything that matters for the project—we review carefully and reply soon with clear next steps.

By submitting, you agree we use this information only to respond to your request.