How it Works

Advanced Data Protection

Baffle’s solution is an advanced data protection solution for two main reasons:

  1. The solution delivers application level encryption via a “no code” model.
  2. The technology provides “homomorphic-like” functionality meaning it enables mathematical operations, sorting and searching on AES encrypted data without ever decrypting the underlying values in memory, in process, or at-rest.

We know these are some bold claims, but this is not snake oil or BS.  We’ve proven it out with multiple skeptics and are happy to walk you through the solution.

Click on the left to navigate how Baffle works and interoperates with your applications and data.

 

Download Data Sheet

Application Tier

The solution simplifies encryption implementation by delivering application level encryption via a “no code” abstracted data model that does not require any application tier code changes. This enables support for commercial off-the-shelf (COTS) applications, custom apps, and cloud migrations without modifying code.

 

Download Data Sheet

Data Interface

Baffle encrypts data via the Baffle Shield.  Baffle Shield operates below the SQL or NOSQL interface layer so that the application does not know it exists.  The application uses the original data schema ensuring that there are no application code modifications required.

The solution operates below the driver layer, so the original database drivers can also be used. The flexible deployment model means that traditional application and data tier architectures can be supported as well as microservices and API-based data access methods.

 

Download Data Sheet

Baffle Shield

Baffle Shield is an encryption engine that integrates with customer owned keys to encrypt data. Baffle Shield operates in a manner that is invisible to applications which enables Baffle to support virtually any application with no code modification. The flexible architecture model allows support for complex encryption scenarios such as API-based communications, machine to machine traffic, and automation workflows.

 

Download Data Sheet

Baffle Manager

Baffle Manager is the management console for the advanced data protection solution. The reality is that deploying encryption is complex and difficult. Much harder than it needs to be. Baffle Manager streamlines the deployment of encryption by enumerating data schema and mapping keys to confidential data and by virtualizing the key management layer to simplify encryption key management for KMSs or HSMs. The result is less time configuring, re-configuring, rotating and integrating encryption with your apps, and faster deployment times for getting your applications protected the right way.

 

Download Data Sheet

Virtualized Key Management

Baffle can simplify key management by creating key mappings from multiple heterogeneous key management systems (KMS) and hardware storage modules (HSM) to provide an abstracted key management layer. This allows organizations to unify the management tasks and policies for encryption keys rather than using several disjointed solutions simplifying a critical security function and improving operational efficiency.

Baffle integrates with KMS via KMIP or HSMs via PKCS #11 libraries and also supports AWS KMS and Azure KeyVault.

 

Download Data Sheet

Database Tier

The database tier stores encrypted data with no encryption key present.  Baffle’s security contract ensures that the key and encrypted data are never co-mingled to reduce the risk of insider threat, privileged access and side channel attacks.

That database communicates with Baffle’s Secure Multi-party Compute (SMPC) to execute operations on the encrypted data values.  This patented method prevents the data from being decrypted in memory or in process, but still allows for mathematical operations to occur on the encrypted data.

The benefit is stronger data protection for security teams and no breakage in application functionality for the business.

 

Download Data Sheet

Secure Multi Party Compute

SMPC is Baffle’s patented cryptographic technique to enable computation on encrypted data at speed. The solution takes computational requests — such as sort, wildcard search or a math operation — and breaks the operation apart across distributed stateless servlets and returns the results in encrypted form. This enables operations on encrypted data without ever decrypting the original values of your sensitive or confidential data.

The main differences between our SMPC approach and homomorphic encryption are that:

  • We don’t use homomorphic encryption, we use AES.
  • We can operate at high speed with negligible performance overhead — homomorphic encryption is painfully slow.
  • We don’t require changes to the application — homomorphic encryption works by requiring the application have prior knowledge of the type of queries it will be executing.

 

Download Data Sheet

Baffle Advanced Data Protection

Advanced Data Protection

Baffle’s solution is an advanced data protection solution for two main reasons:

  1. The solution delivers application level encryption via a “no code” model.
  2. The technology provides “homomorphic-like” functionality meaning it enables mathematical operations, sorting and searching on AES encrypted data without ever decrypting the underlying values in memory, in process, or at-rest.

We know these are some bold claims, but this is not snake oil or BS.  We’ve proven it out with multiple skeptics and are happy to walk you through the solution.

Click on the left to navigate how Baffle works and interoperates with your applications and data.

 

Download Data Sheet

Application Tier

Application Tier

The solution simplifies encryption implementation by delivering application level encryption via a “no code” abstracted data model that does not require any application tier code changes. This enables support for commercial off-the-shelf (COTS) applications, custom apps, and cloud migrations without modifying code.

 

Download Data Sheet

Data Interface

Data Interface

Baffle encrypts data via the Baffle Shield.  Baffle Shield operates below the SQL or NOSQL interface layer so that the application does not know it exists.  The application uses the original data schema ensuring that there are no application code modifications required.

The solution operates below the driver layer, so the original database drivers can also be used. The flexible deployment model means that traditional application and data tier architectures can be supported as well as microservices and API-based data access methods.

 

Download Data Sheet

Baffle Shield

Baffle Shield

Baffle Shield is an encryption engine that integrates with customer owned keys to encrypt data. Baffle Shield operates in a manner that is invisible to applications which enables Baffle to support virtually any application with no code modification. The flexible architecture model allows support for complex encryption scenarios such as API-based communications, machine to machine traffic, and automation workflows.

 

Download Data Sheet

Baffle Manager

Baffle Manager

Baffle Manager is the management console for the advanced data protection solution. The reality is that deploying encryption is complex and difficult. Much harder than it needs to be. Baffle Manager streamlines the deployment of encryption by enumerating data schema and mapping keys to confidential data and by virtualizing the key management layer to simplify encryption key management for KMSs or HSMs. The result is less time configuring, re-configuring, rotating and integrating encryption with your apps, and faster deployment times for getting your applications protected the right way.

 

Download Data Sheet

Virtualized Key Management

Virtualized Key Management

Baffle can simplify key management by creating key mappings from multiple heterogeneous key management systems (KMS) and hardware storage modules (HSM) to provide an abstracted key management layer. This allows organizations to unify the management tasks and policies for encryption keys rather than using several disjointed solutions simplifying a critical security function and improving operational efficiency.

Baffle integrates with KMS via KMIP or HSMs via PKCS #11 libraries and also supports AWS KMS and Azure KeyVault.

 

Download Data Sheet

Database Tier

Database Tier

The database tier stores encrypted data with no encryption key present.  Baffle’s security contract ensures that the key and encrypted data are never co-mingled to reduce the risk of insider threat, privileged access and side channel attacks.

That database communicates with Baffle’s Secure Multi-party Compute (SMPC) to execute operations on the encrypted data values.  This patented method prevents the data from being decrypted in memory or in process, but still allows for mathematical operations to occur on the encrypted data.

The benefit is stronger data protection for security teams and no breakage in application functionality for the business.

 

Download Data Sheet

Secure Multi Party Compute (SMPC)

Secure Multi Party Compute

SMPC is Baffle’s patented cryptographic technique to enable computation on encrypted data at speed. The solution takes computational requests — such as sort, wildcard search or a math operation — and breaks the operation apart across distributed stateless servlets and returns the results in encrypted form. This enables operations on encrypted data without ever decrypting the original values of your sensitive or confidential data.

The main differences between our SMPC approach and homomorphic encryption are that:

  • We don’t use homomorphic encryption, we use AES.
  • We can operate at high speed with negligible performance overhead — homomorphic encryption is painfully slow.
  • We don’t require changes to the application — homomorphic encryption works by requiring the application have prior knowledge of the type of queries it will be executing.

 

Download Data Sheet

Simple to Deploy: No application code modification required

Baffle requires no changes to application tier code. The application operates as normal without embedding an SDK or library and commercial off-the-shelf (COTS) apps can be supported.

Fast Performance: Virtually no performance impact

Baffle has neglible impact on base level store and retrieve operations. Advanced operations on encrypted data are typically inline with transparent data encryption (TDE) overhead metrics.

Full Functionality: Does not break your apps

Baffle supports sort, wildcard search, and mathematical operations on encrypted data without decrypting the data. This ensures that data is protected at all times without compromising application functionality for your users or requiring application modification.

Strong Security: AES encryption in use, in memory, at-rest

Baffle uses industry standard AES encryption and protects data in memory, in use and at-rest while allowing secure computation to occur on encrypted data.

Use Cases

See How Baffle Can Protect Your Data

Schedule a live demo and get answers to your questions