Data encryption per subscriber

I’m looking for a solution out-of-the-box for the following problem.
I want to publish generic events. One of the properties is a customer identifier. The other data/properties in the event shoud be protected with a key per customer. So that subscribers only have access to their event data and can ignore events based on the value of customer identifier property .

Has anyone ideas or suggestions ?

This is currently not possible. When using a broker the same message is received by all subscribers but he message is only send once to the broker.

Potentially this would be possible with message driven pubsub as with that method each subscriber will get its own copy of the message but at the moment our pipeline does not have the extendability to modify the message per logical subscriber.

Also, encrypting data differently per subscriber does not make sense. The publisher announces a fact and it doesn’t care who is interested in that. It should not have to worry about framing the event in a specific way.

It seems that you want to create a ‘generic’ event which actually isn’t a real event and for that require a form of content based routing/filtering.

You could do:

  • Create an event handler that is aware of all endpoints and Send a message to these endpoints based on the routing filtering that you would want where each payload can be different.
  • Have a more generic request-multi-response. Here you could have a subscriber start/stop a request-multi-response and have this maintained by a saga instance. The saga instance would be subscribed to the event that can be correlated to a specific customer and you can do all kinds of things with the message you want to send.

Could you share more functional details on the use-case?

I have a multitenant highly custom configurable application that captures data in a workflow by the different stakeholders at our customers.
Some thirdparty application are interested in some of the data at a certain point in the workflow.
We made a configurable system, so that per workflow per customer different datasets can be broadcasted.
I wanted to have the flexibility of not change anything in our application as customers or interested thirdparty applications changes.
Therefore I choose for pub/sub. This causes that every events shows up at every endpoint. Based on some non-encrypted property I can identify the customer. The content over data-event must be encrypted per customer.
I hope this explains a little bit the context of my question.

I misunderstood your question. I thought you wanted the publisher to publish an event to all subscribers but each copy event to be encrypted with a subscriber specific key. How I read your last post is that the event published is just for one specific customer but that event is sent to all subscribers but the event contains only data specific to one customer and needs to be encrypted to that other subscribers cannot read that data.

We do not have an OOTB solution for that.

However, the following samples could be customized to achieve such a goal. From what I understand is that you have some kind of tenant ID that could be used to select the correct encryption key.

I personally don’t know if like that solution especially as this seems to be part of an integration. It is strange that a recipient could be receiving a payload that it cannot do anything with besides discarding because it cannot decrypt it.

Could you share such an workflow event?

The events contain data captured during onboarding processes of new employees at some point in the workflow form-wizard.
This is this event-contract.

public interface  IDataEvent
  string ConcernNumber { get; set; }
  DateTime TimeStampUtc { get; set; }
  Guid ProcessId { get; set; }
  string Name { get; set; }
  string Description { get; set; }
  IDictionary<string, object> Data { get; set; }
  int VersionNumber { get; }

The payload that should be encrypted is the Data property.
The integration-endpoints are different and possible more than one per customer (property ConcernNumber identifies the customer).

I wanted some routing on the events so that payload of one customer could not end
but in away that our broadcasting application has no dependency on whether the integration endpoints are already made by the other teams. That’s why I have choosen pub/sub but that introduces the problem that every endpoint gets every event. Even those not for the appropriate customer. And thats why I looked for encryption …

This event definition seems more like a notification and is not reflecting a business event which is often more like a state transition. For an event it contains a lot of data, I wouldn’t classify this as a lightweight message.

It more seems like a way to replicate data to another system.

Why can’t the team that creates that customer specific integration channel be trusted in applying the right filtering? Why else would you want to encrypt that data?

Based on what you shared it seems that you have a integration channel per customer. If that endpoint cannot be trusted with all events and cannot be part of a ‘trusted sub system’ then I would create a generic event handler or a event handler per customer on a trusted endpoint that takes care of the distribution/filtering. This event handler would then do a send to an integration endpoint that specifically knows how to deal with that integration and only be send messages with content that is allowed to receive.

Yes, you could go for the encryption strategy but you would be sending a lot of messages to logically different destinations and doing lots more IO then needed for no benefit.

Another option is to not add the data, have a lightweight message and have the recipient do the aggregation by having them query for it. This is especially of interest if the querying would almost never happen.

Does that help and make sense?