Baffle provides BYOK and record level encryption for multi-tenant SaaS
The SaaS Business vs. Security Trade-off
The shift to cloud-based software delivery has revolutionized how enterprises use software. Software-as-a-service (SaaS) has become the predominant mode of adopting software for companies resulting in huge amounts of data being entrusted to respective SaaS providers.
You may be in the business of delivering a SaaS service, and key customers are demanding enhanced security measures or auditors are breathing down your neck or your legal or risk team or board has concerns over pending privacy regulations. All the while, your customers are asking for this feature and that feature and competition is heating up.
This leaves you with the business dilemma of building out features and functionality to delight your customers and compete in the market or building out security platform capabilities. Alternatively, you could attempt to do both if you have a bottomless budget and can get developers, or you could opt to dedicate instances for big clients, which is operationally and cost inefficient.
Or, you could implement an off-the-shelf BYOK service that supports multiple keys in multi-tenant environments, while requiring no architectural or application code changes. The transition can be isolated and you can remain focused on running your core business and service.
Simplified BYOK for SaaS
What if there was an easier way to deliver a solution to the above scenario? What if you could satisfy enterprise customers with stringent security requirements without having to modify your applications, hundreds of microservices or dedicate instances to that customer?
Baffle provides a BYOK platform for SaaS providers that supports customer-owned keys and secures data at the record level in a multi-tenant environment, without requiring application and architectural changes or dedicated instances. The solution is in production globally with SaaS providers in environments in excess of several billion records, with virtually no discernible performance overhead (1 - 2ms overhead in measured environments).
This satisfies the compliance requirements of your largest customers, gives them ownership of their key, gives them a right of data revocation, and frees you up to do what you do best — build a world-class application and service.
Baffle’s key virtualization layer integrates with HSMs, cloud key managers, and secrets managers to easily source customer-owned keys. This key integration can be integrated into cloud native services with no redesigns or application code changes.
With Baffle Data Protection Services, you can avoid being forced into trade-offs around product development and features versus building out core platform security capabilities. You can simplify your security implementation at a lower operational, and perhaps more importantly, opportunity cost.
And finally, in the words of one of our customers, "after we looked at the performance numbers, it was game over." In other words, our solution has been highly optimized and has been measured at one to two millisecond overhead in a global deployment with hundreds of microservices.
A Technical Overview of Baffle Hold Your Own Key (HYOK) and Record Level Encryption (RLE)
This paper provides a technical overview of Baffle’s HYOK implementation and how it can be applied to provide RLE in multitenant or shared data stores.
Interested in a headless deployment — pull our Docker image to get up and running in minutes. Contact [email protected] for more info.
- Download the white paper on Simplified Application Level Encryption
- See record level encryption in action in our “Ensuring Data Privacy in SaaS” webinar
- Encryption methods — ALE, FLE, RLE, TDE?? What the heck’s the difference?
- Schedule time with a security specialist to discuss your requirements and how we can help
“Customers are demanding support for Bring Your Own Key (BYOK) to enable ownership of their encryption key material and have control over their data with revocation rights. Workiva is building AWS KMS key management into the core of our platform, where customers can bring in encryption key material and manage it, and then use those keys in conjunction with Baffle. The joint solution requires no large-scale architectural overhauls or application changes, or dedicated databases per tenant. As a result, development time is instead being spent adding even higher value add enhancements instead of modifying the architecture and application, and Baffle allows us to execute on that vision.”
Security Architect, Workiva
Baffle delivers a transparent data protection service layer that secures data at the field or file level via a "no code" model. The solution supports tokenization, format preserving encryption (FPE), database and file AES-256 encryption, privacy preserving analytics and access control. As a transparent solution, cloud native services are easily supported with almost no performance impact.
No application code modification
Virtually no performance
Integrates easily into your
AES encryption in memory, in use,