AWS Dynamic Data Masking Announcement Solidifies a Commitment to Complete Data Privacy and Security

By Ameesh Divatia, CEO and co-founder | December 8, 2022

An exciting and promising aspect of being in the data security industry is seeing the adoption of technology by major players that will help businesses keep their most valuable IT asset—data—safe. Last week, AWS previewed a new solution for dynamic data masking (DDM) for Amazon Redshift. As an AWS partner, Baffle applauds AWS for this significant achievement.

Why do we feel this capability is so important? 

Redshift DDM allows customers to create views, with sensitive data being replaced with full or partial masked values controlled through a familiar SQL interface. Customers can restrict different levels of permissions to masked data by applying Redshift role-based access control. Additionally, customers can apply a conditional mask based on other columns, allowing protection of a column of data in a table based on the values in one or more other columns. 

Baffle is excited about this technology because it complements its Data Protection Service, a no-code approach to ingest data securely into a data pipeline that feeds a data warehouse like Redshift. It integrates seamlessly with the Amazon Database Migration Service (DMS) as well as data-mover tools, such as AWS Glue. Baffle uses a cryptography-based approach to tokenize sensitive data as it is inserted into Amazon Simple Storage Service (S3) object stores. 

During the presentation at AWS re:Invent 2022 titled, “What’s New with Amazon Redshift (ANT201),” the speaker explained that with Baffle, AWS can modify sensitive or PII data based on access control mechanisms and support cell level and column level masking based on defined conditions.

The data can then be copied into Redshift using tools such AWS Redshift Spectrum or AWS Athena, from which it will be consumed by analytics applications or AWS Glue scripts. Redshift DDM completes the end-to-end vision with responsible consumption of sensitive data from the warehouse. 

AWS understands the importance of data privacy and security 

This news shows the continued AWS commitment to helping businesses maintain data privacy and security efforts through DDM and other methods. Earlier this year at AWS re:Inforce, Kurt Kufeld, VP of AWS Platforms, made a bold statement in his keynote address, noting, “Encryption is the core component of a good data protection strategy.” He also had a clear and concise call to action: “Encrypt everything.”

We operate in a business environment in which the threats against data are more frequent and complex. Data analytics is the backbone of market differentiation across many industries, and organizations that implement best practices to protect it are simultaneously preventing obstacles to achieving larger business objectives. 

And when you also consider the increasing noncompliance fines from state and international data privacy laws, the stakes to protect data have never been higher. Many organizations are still acclimating to the learning curve related to protecting data in the cloud, so today’s AWS news represents a meaningful step forward. 

How Baffle can help

Baffle’s mission has always been to simplify data-centric protection, and this new offering makes it even easier for Baffle customers to secure their entire data analytics pipeline. With Baffle, customers can encrypt their data before it is even ingested into AWS. They can do so via a no-code approach that requires no application changes. 

Baffle customers can also protect data via tokenization with format-preserving encryption, field or column-level encryption and even row-level encryption. Through bring-your-own-key capabilities, Baffle makes it simple for customers to use their own encryption keys, preventing the cloud provider from accessing their data. 

Since most organizations work across multiple clouds, Baffle gives customers a centralized data management control pane to protect data across multiple clouds and on-premise databases. Baffle works seamlessly with several AWS services, including Relational Database Service (RDS), Redshift, S3, DMS, KMS, CloudHSM, and Aurora.

Data privacy and security in the cloud can seem complex. Organizations must have partners who understand today’s challenges while planning for new obstacles that may emerge down the road. As experts in data privacy, cloud security, and compliance, AWS and Baffle are well-positioned together to help customers protect their data effectively for current and future requirements.

Learn how Baffle Data Protection Services can protect your data inside AWS RDS instances, Redshift, and S3 buckets.