Apache Kafka® Support
Secure the Data Pipeline with Field Level Encryption and Tokenization
Apache Kafka® Encryption
Apache Kafka is a powerful platform for streaming big data in real time for multiple providers and use cases, including data analysis downstream. Thousands of enterprises rely on Apache Kafka, as an open-source distributed event streaming platform, for high-performance data pipelines, streaming analytics, and data integration. It is often used to move data from a traditional database or file storage into a modern analytic data warehouse like Snowflake® or Amazon Redshift or Apache Pinot™.
However, putting sensitive data in the clear can create massive security and compliance issues. The challenge is that legacy data encryption methods are not sufficient as they do not allow control over who can see what data and can also impede downstream data analytics and third party applications.
Baffle® Data Protection Services (DPS) Transform for Kafka is a purpose built software solution designed to simplify end-to-end security of the modern data pipeline.
Baffle DPS allows you to deploy a transparent data security mesh that encrypts or tokenizes sensitive data while it is being moved from a traditional database to a modern analytic data warehouse. This data-centric security approach ensures that no cleartext data is exposed in the analytics pipeline preventing the possibility of sensitive data from being stolen. With Baffle DPS, Kafka can implement functionality that provides end to end encryption of messages - with the consumer only being able to decrypt the Kafka topic from the Kafka broker if they have been granted the proper access.
How Baffle for Kafka Works
Kafka Connect ingests data into a Kafka Cluster from traditional database and dumps the data into modern analytic data warehouses. Kafka Connect enables connectivity between a source data store and a Kafka cluster or between a Kafka cluster and a destination data store.
The Simple Message Transform (SMT) capability allows a custom transformation engine to be plugged into a Kafka connector to transform data from its original value as it is being ingressed/egressed from Kafka. The Baffle Transform using SMT provides a way to encrypt or tokenize the Kafka stream, or sensitive data, while it is being moved from a traditional database to a modern analytic data warehouse. This data-centric security approach ensures that no cleartext data is exposed in the analytics pipeline preventing the possibility of sensitive data from being stolen.
Data is transported from a data source to the Confluent Kafka cluster through Kafka Connect where the Baffle Transform plug-in tokenizes sensitive data at a field level granularity.
For consumption, the encrypted data is transported from a Confluent Kafka cluster to a data store through Kafka Connect where the Baffle Transform plug-in restores sensitive data at a field level granularity with de-tokenization or decryption to its original values.
The Baffle Single Message Transform can be integrated with:
- Kafka Connect
All Sink and Source Connectors are supported:
- Sources and Sinks: Reads and writes data to the Confluent Platform (using the consumer/producer API)
Baffle SMT is compatible with the following:
- Confluent 5.0.X and above
- Kafka 2.0.x and above
- Kafka Connect 5.0.X and above
Baffle delivers an enterprise level transparent data security mesh that secures data at the field or file level via a "no code" model. The solution supports tokenization, format preserving encryption (FPE), database and file AES-256 encryption, and role-based access control. As a transparent solution, cloud native services are easily supported with almost no performance or functionality impact.
No application code modification
Virtually no performance
Integrates easily into your
AES encryption in memory, in use,
How to De-Identify Apache Kafka Data Streams
Learn how modern data protection technologies can be used to easily de-identify & re-identify Kafka data streams to share sensitive data securely between internal and external audiences & data domains.
De-identifying Data in Snowflake and Amazon Redshift
Tokenize Your Data in AWS RDS with AWS KMS
Watch this webinar to learn about different tokenization and data encryption techniques and see how you can stand up a demo of Baffle's Data Protection Services in conjunction with AWS RDS and AWS KMS in a matter of minutes.