Data Protection Services

The Baffle Data Protection Service seamlessly de-identifies sensitive data in the cloud to mitigate the risk of data breaches while enabling privacy-preserving analytics.

We help you move more data to the cloud faster without compromising data privacy allowing you to take advantage of the flexibility of the cloud, and responsibly use and share that data for advanced analytics such as AI and machine learning.

Request A Demo

Data Protection Services

The Baffle Data Protection Service provides a transparent data-centric security layer that offers several data protection modes. Capabilities include de-identification, tokenization, field level encryption, record level encryption, format preserving encryption (FPE) BYOK for SaaS, dynamic data masking, file encryption, file content encryption, encryption API services, role-based access control (RBAC), privacy preserving analytics and secure data sharing.

Usage Monitoring

Monitor access to databases to identify patterns or anomalous behavior and profile applications

Role-Based Access Control

Define which systems, users or groups can access data stores and dynamically entitle who can see what data

Dynamic Data Masking

Dynamically mask data at the presentation layer to obscure data values from specific users or groups

Learn More

Tokenization / FPE

De-identify and tokenize data using format preserving encryption or deterministic encryption modes

Learn More

Field & Record Level Encryption

Data-centric protection at the field or record level in data stores secures the actual data values

Learn More

BYOK for SaaS

Provides an off-the-shelf BYOK service for SaaS vendors to support multiple customer-owned keys in multi-tenant environments

Learn More

File and Data Pipeline Security

Encrypt files and de-identify data in cloud data lakes to enable AI and privacy preserving analytics

Learn More

Encryption in Use

Utilizes Secure Multiparty Compute (SMPC) to enable operations on encrypted data such as wildcard and sort

Learn More

Secure Data Sharing

Enable secure sharing of data across multiple parties without revealing private values to other participants

Learn More

How It Works

Standard Mode Advanced Mode

Standard Mode

Baffle Data Protection Services

The Baffle Data Protection Service provides a transparent data-centric security layer that offers several data protection modes. Capabilities include de-identification, tokenization, field level encryption, record level encryption, format preserving encryption (FPE), BYOK for SaaS, dynamic data masking, privacy preserving analytics and secure data sharing.

Application Tier

The solution simplifies encryption implementation by delivering application level encryption via a “no code” abstracted data model that does not require any application tier code changes. This enables support for commercial off-the-shelf (COTS) applications, custom apps, and cloud migrations without modifying code.

Baffle Shield

Baffle Shield is an encryption engine that integrates with customer owned keys to encrypt data. Baffle Shield operates in a manner that is invisible to applications which enables Baffle to support virtually any application with no code modification. The flexible architecture model allows support for complex encryption scenarios such as API-based communications, machine to machine traffic, and automation workflows.

Database Tier

The database tier stores encrypted data with no encryption key present. Baffle’s security contract ensures that the key and encrypted data are never co-mingled to reduce the risk of insider threat, privileged access and side channel attacks.

That database communicates with Baffle’s Secure Multi-party Compute (SMPC) to execute operations on the encrypted data values. This patented method prevents the data from being decrypted in memory or in process, but still allows for mathematical operations to occur on the encrypted data.

The benefit is stronger data protection for security teams and no breakage in application functionality for the business.

Advanced Mode

Data-Centric Protection to Reduce Data Theft Risk

Baffle’s solution goes beyond legacy encryption to truly close gaps in the data access threat model. Baffle provides an advanced data protection solution that protects data in memory, in process and at-rest to reduce insider threat and data theft risk

Baffle Manager

Baffle Manager is the management console for the advanced data protection solution. The reality is that deploying encryption is complex and difficult. Much harder than it needs to be. Baffle Manager streamlines the deployment of encryption by enumerating data schema and mapping keys to confidential data and by virtualizing the key management layer to simplify encryption key management for KMSs or HSMs. The result is less time configuring, re-configuring, rotating and integrating encryption with your apps, and faster deployment times for getting your applications protected the right way.

Encryption Keys

Baffle can simplify key management by creating key mappings from multiple heterogeneous key management systems (KMS) and hardware storage modules (HSM) to provide an abstracted key management layer. This allows organizations to unify the management tasks and policies for encryption keys rather than using several disjointed solutions simplifying a critical security function and improving operational efficiency.

Baffle integrates with KMS via KMIP or HSMs via PKCS #11 libraries and also supports AWS KMS and Azure KeyVault.

Download the Baffle Thales Solutions Brief to learn more about our integration with KeySecure.

Baffle SMPC Servlets

SMPC is Baffle’s patented cryptographic technique to enable computation on encrypted data at speed. The solution takes computational requests — such as sort, wildcard search or a math operation — and breaks the operation apart across distributed stateless servlets and returns the results in encrypted form. This enables operations on encrypted data without ever decrypting the original values of your sensitive or confidential data.

The main differences between our SMPC approach and homomorphic encryption are that:

We don’t use homomorphic encryption, we use AES.
We can operate at high speed with negligible performance overhead — homomorphic encryption is painfully slow.
We don’t require changes to the application — homomorphic encryption works by requiring the application have prior knowledge of the type of queries it will be executing.

See How Baffle Can Protect Your Data

Schedule a live demo with one of our solutions experts to get answers to your questions

Request A Demo