Protecting Your Data in Your Cloud with the Baffle Data Privacy Cloud

By Harold Byun, VP Products | November 22, 2021

As organizations continue to build out their cloud-based data lakes and analytics environments, there’s a huge push to implement data privacy and de-identification methods for their data. At Baffle, we’ve always held the belief that customers should control their keys and their data, which is why it has been a bit of a shock to see SaaS solutions emerge where providers are holding a company’s most sensitive data in an online tokenization vault.

The notion of giving your most sensitive data to a trusted third party seems fraught with security challenges and potentially bordering on insanity. And advocating that somehow these vaults are impenetrable flies in the face of Zero Trust and seemingly ignores the onslaught of data breaches over the past two decades.

That’s why we’re pleased to announce the launch of Baffle’s Data Privacy Cloud. Our solution gives control to your organization to protect your data with your keys in your own private cloud. The Data Privacy Cloud offers you the ability to establish a data protection service for your organization for any data store and for any application while leveraging the cloud-scale of serverless code functions. Baffle’s solution also supports operations on encrypted data to enable secure computation.

The deployment architecture is depicted below where serverless Amazon Lambda functions sitting behind an API gateway or layer are instantiated to perform encrypt, decrypt, and computation operations on encrypted data. The serverless functions interoperate with key management stores to support BYOK / HYOK via Baffle’s key virtualization layer (KVL).

Baffle’s key virtualization layer supports PKCS #11 for HSM integration, KMIP, and REST API support.  Baffle’s KVL integrates with AWS KMS, Thales, CloudHSM, IBM Key Protect, IBM Hyper Protect Crypto Services, Azure Key Vault, HashiCorp Vault, and others.

Utilizing this method, your data remains encrypted in cloud-based platforms, data lakes and DBaaS solutions and encryption keys remain fully under your control.  The flexibility of the “low code” approach eliminates overhead from your development and devops teams and lets organizations provide a consistent data protection service that can support any application and any data store.

Below are two videos of the Baffle Data Privacy Cloud working with our out-of-the-box integrations for Amazon Redshift and Snowflake. The first integration was developed with guidance from the Amazon Redshift team and shows some of our data transform capabilities including dynamic data masking. The latter shows privacy preserving analytics functioning with data encrypted in the Snowflake platform along with our on-the-fly data pipeline encryption support.

Redshift Demo

Snowflake Demo

You can learn more about our capabilities with the following links: