Baffle offers the easiest to use encryption software with a "no code" and "low code" approach to de-identifying, tokenizing, or encrypting your sensitive data in the cloud from data breaches.
Baffle Simplifies Data-Centric Encryption
Implementing application encryption software is often time consuming, costly, and complex. It often requires developer engagement, application code modification, code reviews and a delayed release process. It can break application functionality and most developers hate the work associated with implementing it.
The implementation process involves embedding an SDK in your code and implementing some type of key management exchange method; or worse, obfuscating the key in your code in order to encrypt data at the field level. The process is fraught with errors and after it is completed, you’ll need to go through security architecture review prior to release. And if you change your application, you need to modify the code and go through review again slowing down the application release process.
For cloud migrations or data pipelines, organizations are often forced to create clones, transform the data on-premise, or modify legacy applications in order to effectively tokenize or encrypt the data to address security and data privacy requirements (e.g. GDPR, CCPA)
At Baffle, we believe there’s a simpler way to protect sensitive information and achieve data encryption protection and reliable data security at the field or record level without all of this overhead. Baffle’s Data Protection Services provides a “no code” method that enables a simple point-and-shoot operation to protect data in flight as it is migrated to cloud or through the data pipeline. The solution also enables application-level encryption using AES encryption or tokenization, or Advanced Encryption Standard. Baffle’s encryption solution provides no code approaches for the following:
- Field Level Database Encryption
- Record Level Encryption
- Tokenization and Format Preserving Encryption (FPE)
- Dynamic Data Masking
- Data-Centric File Protection
Simplifying Application-Level Encryption:
Baffle Data Protection Services consists of three main components:
1. Baffle Manager is the administrative console for the solution that integrates with enterprise key managers, databases and manages the Baffle solution components.
2. Baffle Shield is the SQL / NOSQL proxy that functions to encrypt and decrypt data at the field or record level.
3. Baffle Secure Multiparty Compute (SMPC) is an optional component consisting of stateless servlets that enable secure file computation on encrypted data such as sort, search, wildcard search and mathematical operations without ever decrypting the underlying values.
Encryption Technology Configuration Overview:
Baffle's file encryption software can be configured in four main modes as described below. All encryption methods use AES as the encryption algorithm.
1. Standard Encryption: Baffle functions as an application-level encryption (ALE) equivalent in this mode encrypting data on a field level basis. This is performed using Baffle Manager as described above to enumerate the data schema and enable an encryption key mapping.
2. Data Tokenization: Baffle supports a length preserving and data type preserving tokenization method to anonymize data at the field level databases or in semi-structured data files in cloud data lakes.
3. Record Level Encryption: Baffle can be configured for record level encryption to support multiple keys within a single column that are mapped to respective data owners or entities. This mode of encryption can be used effectively in multi-tenant or shared data environments where segmenting data can be difficult. In this mode, data shredding can be enabled by deleting keys for a respective entity
4. Data Masking: Baffle can enable simplified data masking to prevent decryption of data and sensitive file information based on configuration or deleted keys. This mode can be used to minimize data exposure in test/dev environments and to better control data exfiltration to external parties.
5. Advanced Encryption: Baffle can be configured to enable operations on encrypted data to support optimal application functionality and minimize breakage of business processes. This mode supports “homomorphic-like” operations on encrypted data but uses an AES encryption algorithm. Secure Multiparty Compute (SMPC) is the cryptographic technique that is utilized to enable this method. The method employs a security contract where encrypted values are never co-mingled with encryption keys but facilitates operations on encrypted data via a message passing protocol between a database and a separate SMPC compute domain. As such, the database functions as an encrypted data store with no key present and operations are performed in conjunction with the SMPC implementation. Consequently, the data encryption is in memory in the data store and in process. The figure below describes the advanced encryption process that allows operations on encrypted data.
Baffle Data Protection Services and strong encryption tools vastly simplify encryption, tokenization, masking, and de-identification of sensitive data - from individual file sharing and personal data to GDPR and HIPPA requirements. Data protection modes include both column level and row level encryption, format preserving encryption (FPE), tokenization and privacy preserving analytics.
Baffle delivers an enterprise level transparent data security mesh that secures data at the field or file level via a "no code" model. The solution supports tokenization, format preserving encryption (FPE), database and file AES-256 encryption, privacy preserving analytics and access control. As a transparent solution, cloud native services are easily supported with almost no performance or functionality impact.
No application code modification
Virtually no performance
Integrates easily into your
AES encryption in memory, in use,