Simplified secure tokenization with no code changes
Tokenization is a data de-identification process of replacing sensitive data fields with a non-sensitive value, i.e. a token, thus mitigating the risk of data exposure. This is commonly used to protect sensitive information such as credit card numbers, social security numbers, bank accounts, medical records, driver's licenses, and much more. Tokenization is often mandated by major regulations such as PCI DSS and HIPAA.
Baffle Data Protection Services (DPS) provides a modern data security platform that is easy to deploy, is highly secure and performant, and does not require the use of token vaults. Its innovative "no code" approach eliminates the need for any application changes. Baffle supports multiple database and file encryption modes including NIST certified and FIPS validated AES modes.
- De-identify data sets whether in the cloud, on-premises, or in hybrid environments
- Tokenize data inside data lakes, databases, objects, and files
- Highly performant and highly secure using Format Preserving Encryption (FPE) algorithm
- Easily tokenize data with "no code" changes
- Accelerate compliance with data privacy regulations such as PCI, HIPAA, GDPR, and CCPA
- Safe harbor from accidental data leaks from key privacy and compliance regulations
- Mitigate insider threat and privileged access user risk
- Maintains protected data's referential integrity
- Meet Luhn check requirements for credit card data
Data Protection in the Cloud
Enterprise data growth has continued exponentially, and the migration to cloud data lakes has become a major trend, allowing big data environments to expand flexibly and without limit. As more organizations use cloud data lakes for business analytics, machine learning and artificial intelligence, specific data privacy challenges are emerging.
The explosion of data has led to another trend - the inadvertent exposure or misconfiguration of data in some cloud-based environments. There is an obvious need to de-identify the underlying encrypted data or the data inside cloud data lakes, while still permitting the business to take advantage of big data technologies such as analytics and AI modeling. And format-preserving encryption allows you to keep the data format and datatype while avoiding the need for any of the data to be in cleartext.
In the cloud providers' "shared responsibility model", the provider is responsible for providing security of the underlying infrastructure and the data centers, while the customer is responsible for the data put into the cloud. So de-identification means de-identifying the actual data values or protecting the underlying original values that are being put in.
Unfortunately, many de-identification and decryption methods require additional development or altering the data pipeline, and as a result either slow down the use of cloud-based analytics or leave data potentially exposed. Further, de-identification represents only part of the challenge as new methods to access and warehouse data can limit use-cases where authorized re-identification or analysis of data may be required.
Blog: Tokenize and de-identify data in AWS RDS in less than 10 minutes
Baffle Data Protection vs Legacy Tokenization Solutions
|Legacy Tokenization||Baffle Data Protection Service|
|Data Transformation||Data replaced with a token||Data tokenized with AES-256 bit keys for Format-Preserving Encryption (FPE)|
|Security||Vaulted tokenization is vulnerable to frequency attacks like Chosen Plaintext Attack (CPA) and is heavily dependent on the cardinality of the data fields.||Baffle offers FPE which is a mathematical transformation that is accelerated by the AES-NI instruction set and is proven to be cryptographically secure with no data dependence whatsoever|
|Application Impact||Requires applications to access a cloud-based API which implies that the source code has to be available or being developed in-house and manage keys required for encryption||Requires a network layer connection only eliminating the need to change an existing application completely relieving application developers of the burden of integrating a service or managing keys|
|Storage Requirements||Vaulted would require a lookup table that is the same size as the database doubling the storage needed. Vaultless requires a smaller table but sacrifices security||FPE does not add any storage needs since it preserves the format of the original data|
|Performance||Every entry into the data store requires a lookup to ensure that each token is unique. The same process is repeated for incremental additions to the data store as well.||FPE is a mathematical transformation accelerated by AES-NI instructions on a processor so executes a factor of magnitude faster than vaulted or vaultless tokenization.|
Baffle delivers an enterprise-level transparent data security platform that secures databases via a "no code" model at the field or file level. The solution supports tokenization, format-preserving encryption (FPE), database and file AES-256 encryption, and role-based access control. As a transparent solution, cloud-native services are easily supported with almost no performance or functionality impact.
No application code modification required
Deploy in hours
No impact to user
Bring your own key
How It Works
Baffle's SQL Proxy offers a transparent "no code" approach to enable field or row level encryption of data. The solution appears to applications and clients as the original database and always presents the original data schema to the application. It functions by creating a key mapping to data fields and performing encrypt and decrypt operations on-the-fly for any application query.
Applications or entire app tiers are redirected to the SQL proxy via a simple connection string change. This can also be implemented by a DNS hostname change. Application connections are proxied to the database on a one-to-one basis and the solution is deployed inline with several Fortune 100 organizations at scale.
Baffle DPS provides a key virtualization layer (KVL) to allow for integration with virtually any key management solution. The KVL enables orchestration of key generation, key rotation and mapping to application fields without embedding SDKs or figuring out key exchange and storage protocols. Baffle supports a two tier key management hierarchy with a master key (e.g. CMK, KEK) and a data encryption key (DEK). The DEKs are encrypted with the master key for protection and simplified key rotation.
At no time are any keys or data persisted by the Baffle solution.
Schedule a live demo with one of our solutions experts to get answers to your questions