Database Encryption

Without any application code changes, the solution tokenizes and encrypts data in Postgres, MySQL, MariaDB, and Microsoft SQL Server at the field or row level. 

Database Encryption

Database encryption is an additional layer of security that can be used to protect against data breaches. Sensitive information, such as credit card numbers or personally identifiable information (PII), can get into the wrong hands even with the most sophisticated and complex protection measures in place. Database encryption ensures that even if someone gains access to the data, it is incomprehensible and cannot be used.

Relational databases such as MySQL/MariaDB, Postgres, Microsoft SQL Server, AWS Redshift and Snowflake provide various encryption options for both data at rest and data in motion, and most database engineers are using one or more of the many encryption types available today.

The typical database encryption methods for encryption at-rest known as Transparent Database Encryption (TDE) were designed to protect against physical data theft or data center break-ins. 

But to assume this type of encryption will keep you safe from a data breach is short-sighted, because today’s data centers and databases in the cloud are not being hacked this way (see “Why You Can’t Stop Data Breaches”).

What’s needed is a data-centric, rather than a container-based, protection method. 

But that raises another valid concern: don’t these column or field level encryption methods result in reduced performance? And won’t they require changes to application code or complex deployment and management? 

Most of the time, the answer is yes – and quite often the impact on development and performance trade-offs rule out this more robust database encryption model. Instead, companies make the decision to expose their data and risk a breach, rather than pay the cost of more performance overhead and additional development resources.

Baffle addresses these trade-offs to provide database encryption options for Postgres, MySQL, MariaDB, Microsoft SQL Server, AWS Redshift, and Snowflake with a simplified no-code data protection model.

Baffle’s invisible data protection layer secures your data in databases, storing encrypted data with no encryption key present and with virtually no performance overhead.

Without any application code changes, the solution tokenizes and encrypts data in Postgres, MySQL, MariaDB, and Microsoft SQL Server at the field or row level. 

  • Support for Postgres, MySQL, MariaDB, Microsoft SQL Server, AWS Redshift, and Snowflake
  • Support for AWS RDS, Microsoft Azure, Google Compute Platform (GCP), IBM Cloud
  • Support for database migration services such as AWS DMS and Microsoft Azure
  • Out-of-the-box integration with encryption key management solutions - AWS KMS, Azure Key Vault, HashiCorp Vault
  • Simplified "no code" deployment model
  • Supports cloud native services and container-based environments
  • Fast performance with minimal overhead 

Baffle’s security contract ensures that the key and encrypted data are never co-mingled to reduce the risk of insider threat, privileged access and side channel attacks.

Baffle’s solution provides no code approaches for the following for Postgres, MySQL/MariaDB, SQL Server, AWS Redshift, and Snowflake:

  • Field Level Encryption
  • Record Level Encryption
  • Tokenization and Format Preserving Encryption (FPE)
  • Dynamic Data Masking
  • Data-Centric File Protection

Learn more about Baffle’s Data Protection Services here.

 

Screen Shot 2020 11 11 At 8.18.03 AM

Baffle Shield placement within a traditional application and database architecture.

Postgres Encryption Demo

Watch this 2 minute 30 second video on encryption of an AWS RDS Postgres database.  This shows an in place migration to demonstrate how transparently Baffle can enable simplified data protection.

Simplifying Encryption White Paper

Baffle Advanced Data Protection solution aims to make encryption simple to adopt without disrupting existing application functionality – it protects data all the way up to a record level granularity and supports four modes of protection depending on the level of security desired.

Cloud Data Protection Platform

Baffle’s solution simplifies protection of your data in the cloud without requiring any application code modification or embedded SDKs.

Related Resources

Tokenize and de-identify data in AWS RDS in less than 10 minutes

We’re pleased to be partnered with AWS to deliver a seamless data protection solution for Amazon RDS and have co-authored this Amazon Partner Network (APN) blog that details the joint solution.

Read More

Supported Encryption Modes

Baffle supports multiple encryption modes including NIST certified and FIPS validated AES modes. Below is a listing of different encryption options available.

Learn More

Tokenize Your Data in AWS RDS with AWS KMS

Watch this webinar to learn about different tokenization and data encryption techniques and see how you can stand up a demo of Baffle's Data Protection Services in conjunction with AWS RDS and AWS KMS in a matter of minutes.

Watch the Webinar

Our Solution

Baffle delivers a transparent data protection service layer that secures data at the field or file level via a "no code" model.  The solution supports tokenization, format preserving encryption (FPE), database and file AES-256 encryption, privacy preserving analytics and access control. As a transparent solution, cloud native services are easily supported with almost no performance impact.

Icon Simplified

Simple

No application code modification
required

Icon Fast

Fast

Virtually no performance
impact

Icon Seamless

Seamless

Integrates easily into your
infrastructure

Icon Secure

Secure

AES encryption in memory, in use,
and at-rest

Schedule a live demo with one of our solutions experts to get answers to your questions