Baffle offers the easiest to use encryption software with a "no code" and "low code" approach to de-identifying, tokenizing, or encrypting your sensitive data in the cloud from data breaches.
Baffle Simplifies Data-Centric Encryption
Implementing application encryption software is often time-consuming, costly, and complex. It usually requires developer engagement, application code modification, code reviews, and a delayed-release process. In addition, it can break application functionality, and most developers hate the work associated with implementing it.
The implementation process involves embedding an SDK in your code and implementing some encryption key management exchange method, or worse, obfuscating the key in your code for field-level or column-level encryption. The process is fraught with errors, and after it is completed, you’ll need to go through a security architecture review prior to release. And if you change your application, you need to modify the code and go through review again, slowing down the application release process.
For cloud migrations or data pipelines, organizations are often forced to create clones, transform the data on-premise, or modify legacy applications to effectively tokenize or encrypt the data to address security and data privacy requirements (e.g., GDPR, CCPA).
At Baffle, we believe there’s a simpler way to protect sensitive information from unauthorized access and achieve data encryption protection and reliable data security at the field or record level without all of this overhead, as both symmetric and asymmetric encryption methods are heavy users of compute cycles. Baffle’s Data Protection Services provides a simplified “no-code” approach which enables a simple point-and-shoot operation to protect data in flight as it is migrated to the cloud or through the data pipeline. The solution also allows application-level encryption using AES encryption, tokenization, or Advanced Encryption Standard. In addition, Baffle’s encryption solution provides no-code approaches for the following:
- Field Level Database Encryption
- Record Level Encryption
- Tokenization and Format Preserving Encryption (FPE)
- Dynamic Data Masking
- Data-Centric File Protection
Simplifying Application-Level Encryption:
Baffle Data Protection Services consists of three main components:
1. Baffle Manager is the administrative console for the solution that integrates with enterprise key managers and databases and manages the Baffle solution components.
2. Baffle Shield is the SQL / NOSQL proxy that functions to encrypt and decrypt data at the field or record level.
3. Baffle Secure Multiparty Compute (SMPC) is an optional component consisting of stateless servlets that enable secure file computation on encrypted data such as sort, search, wildcard search, and mathematical operations without ever decrypting the underlying values.
Encryption Technology Configuration Overview:
As described below, Baffle's encryption solution can be configured in four main modes. All encryption methods use AES as the encryption algorithm.
1. Standard Encryption: Baffle functions as an application-level encryption (ALE) equivalent in this mode encrypting data on a field-level basis. This is performed using Baffle Manager as described above to enumerate the data schema and enable an encryption key mapping.
2. Data Tokenization: Baffle supports a length preserving and data type preserving tokenization method to anonymize data at the field level databases or in semi-structured data files in cloud data lakes.
3. Record Level Encryption: Baffle can be configured for record level encryption to support multiple keys within a single column that are mapped to respective data owners or entities. This encryption mode can be used effectively in multi-tenant or shared data environments where segmenting data can be challenging. In this mode, data shredding can be enabled by deleting public keys and private keys for a respective entity
4. Data Masking: Baffle can enable simplified data masking to prevent decryption of data and sensitive file information based on configuration or deleted keys. This mode can minimize data exposure in test/dev environments and better control data exfiltration to external parties.
5. Advanced Encryption: Baffle can be configured to enable operations on encrypted data to support optimal application functionality and minimize breakage of business processes. This mode supports “homomorphic-like” operations on encrypted data but uses an AES encryption algorithm. Secure Multiparty Compute (SMPC) is the cryptographic technique that is utilized to enable this method. The method employs a security contract where encrypted values are never co-mingled with encryption keys but facilitates operations on encrypted data via a message-passing protocol between a database and a separate SMPC compute domain. The database functions as an encrypted data store with no key present, and operations are performed in conjunction with the SMPC implementation. Consequently, the data encryption is in memory in the data store and in process. The figure below describes the advanced encryption process that allows operations on encrypted data without any performance impact.
Baffle Data Protection Services and robust encryption tools vastly simplify encryption, tokenization, masking, and de-identification of sensitive data - from individual file sharing and personal data to PCI DSS, GDPR and HIPPA requirements. Data protection modes include column-level and row-level encryption, format-preserving encryption (FPE), tokenization, adaptive access control for authorized users, and privacy-preserving analytics.
Baffle delivers an enterprise level transparent data security mesh that secures data at the field or file level via a "no code" model. The solution supports tokenization, format preserving encryption (FPE), database and file AES-256 encryption, and role-based access control. As a transparent solution, cloud native services are easily supported with almost no performance or functionality impact.
No application code modification
Virtually no performance
Integrates easily into your
AES encryption in memory, in use,