AWS Redshift Support

Secure the Data Pipeline with Field Level Encryption, Tokenization, Dynamic Data Masking, and Adaptive Access Control

Amazon Redshift Data Encryption

Organizations continue to move more data to the cloud to take advantage of the storage scalability and cloud analytics.  Data warehouse solutions such as AWS Redshift provide flexible access to data analytics on incredibly large volumes of data.

Redshift is one of the most popular cloud data warehouse solutions in the world. Used by tens of thousands of organizations worldwide, Redshift is based on modified PostgreSQL and provided by Amazon Web Services (AWS).

The AWS environment is secured with SSL, IAM and other network/data access controls within the system and each database in a Redshift cluster, but field-level encryption is not part of the offering. This is potentially a serious hole in an organization's security should a breach occur.

As organizations move quickly from on-premises data to cloud data warehouses, security can often be left behind or treated as an afterthought.  And when data protection measures are considered, they can often be deemed too disruptive to applications and business analytics efforts or too complex to implement. Typically, encryption on a data warehouse consumes vast amounts of overhead, or require application re-writes to handle the task of de-identifying and re-identifying data for analysis, querying or reporting.

Baffle Data Protection Services (DPS) for AWS Redshift is a purpose built software solution designed to simplify end-to-end security of the modern data pipeline.  Baffle DPS allows you to deploy a transparent data security mesh that de-identifies data and metadata migrated to cloud storage or staging environments while also supporting masking and access control for AWS Redshift.

Baffle Solution Features

Baffle's Redshift database protection solution is a high-performance product that optimizes and secures data in the pipeline during virtually any work performed in a data warehouse. Baffle offers the following features:

- Seamless integration with database migration services (AWS DMS) or AWS Glue or other ETL solutions to encrypt or tokenize your data on the fly as it migrates from on-premise to cloud.

- Support for multiple modes of encryption, tokenization or format preserving encryption (FPE) to simplify cloud data warehouse protection during user activity at the field level.

- Provides a transparent, no code data security mesh allows applications and SQL type queries to function without any code modifications, while securing access and controlling re-identification of a Redshift database.

- Allows for Amazon Redshift clusters as you need to query your Amazon S3 data, and ability to use Amazon Redshift as part of your VPC configuration for datasets of any size.

No other solution provides a more transparent, and easily deployable solution that helps you deliver security in lock step with the needs of your business.

Watch this demonstration of how Baffle DPS can de-identify data on-the-fly as it is migrated to a cloud data lake and staged in Amazon Redshift

Baffle Data Protection Services

Baffle’s solution simplifies protection of your data in the cloud without requiring any application code modification or embedded SDKs.

How Baffle for AWS Redshift Works

In the demonstration video on this page, we show how simple it is for an AWS account user to move data from a source database in a SQL Server environment, to the Amazon Web Services environment in a de-identified state for further processing or analysis.

This process involves the following steps:

  1. Select data from an on-premise data source with potentially sensitive, cleartext data and move it into Redshift.
  2. With the Baffle Shield as a proxy in the data pipeline, we can move data from a SQL on-premise data source and de-identify it on the fly as it lands in an S3 cloud data lake, without affecting query performance.
  3. We can then stage that data in the S3 bucket for Redshift queries, and it will be in a de-identified state, at rest in the cloud.
  4.  Since the data is de-identified it can be securely stored in the Amazon Web Services environment in any data schema. Should a data breach occur, potentially sensitive data is protected by encryption.
  5. A data user can then perform selective re-identification operations on the data using Baffle for analytics and reporting purposes.

Baffle makes it very easy for customers to go from any source to any destination, land the data in a de-identified state, for any data schema. No need to create clones or to modify into a fixed schema, and no need to transform the data first before moving to cloud - it is all done on the fly.

And this can be done for any data type and for multiple data pipeline engineering structures, whether using DMS, AWS Glue, data streaming with Kafka/Amazon Kinesis, or even a flat-file or semi-structured data that is simply moved into the environment via SFTP.

Below are additional resources if you're interested in learning more or feel free to Request a Demo to speak with one of our solutions architects.

Learn more about Baffle’s Data Protection Services here.

Our Solution

Baffle delivers an enterprise-level transparent data security platform that secures databases via a "no code" model at the field or file level. The solution supports tokenization, format-preserving encryption (FPE), database and file AES-256 encryption, and role-based access control. As a transparent solution, cloud-native services are easily supported with almost no performance or functionality impact.

Icon Cubes


No application code modification required

Icon Stopwatch


Deploy in hours
not weeks

Icon Bolt


No impact to user

Icon Command


Bring your own key

Icon Padlock


AES cryptographic

Schedule a live demo with one of our solutions experts to get answers to your questions

Related Resources