Secure Cloud Migrations

Baffle® Data Protection Services helps secure your company’s data on-the-fly as you migrate applications and workloads to cloud infrastructure. Data remains protected in the run-time, in memory, and in search indices without modifying applications or causing application breakage.

Baffle integrates seamlessly into the cloud migration process before the data ever leaves the enterprise. Existing applications such as business intelligence and analytics can access and process the AES encrypted data in the cloud without decrypting it, effectively mitigating the risk of data exposure in the clear at any time in the cloud environment. Additionally, keys used to encrypt and decrypt the data with AES encryption are always in the customer’s control.


As organizations move quickly from on-premises data to cloud data warehouses, security can often be left behind or treated as an afterthought.  This results in sensitive data being exposed in the clear in cloud databases or data lakes before the native data protection approaches such as Transparent Data Encryption (TDE) get implemented. Other data protection measures such as Application Layer Encryption (ALE) are delivered using a Software Development Kit (SDK) that can be too disruptive to applications and business analytics efforts or too complex to implement. In summary, encryption on a database, data lake or a data warehouse consumes vast amounts of overhead, or requires application re-writes to handle the task of de-identifying and re-identifying data for analysis, querying or reporting.

Baffle solves these challenges and provides a fast, easy, and secure solution to help you with your “Lift and Shift” cloud migrations.

Solution Highlights:

  • On-the-fly data encryption as it moves from on-premises to AWS, Snowflake, and other cloud databases
  • No-code and low-code approach means no application changes required
  • High performance architecture ensures low overhead and virtually zero performance impact
  • Integrate seamlessly with AWS Redshift, AWS Data Migration Services, AWS Glue, or other ETL solutions
  • Safe Harbor in event of data breaches
  • BYOK / HYOK capability for control of sensitive data in the cloud
  • Privacy-Enhanced Computation to enable reporting and operations while protecting data-in-use
  • Policy-based field-level control to allow for views based on personas
  • Data de-identification via simplified encryption, tokenization, data masking, and file level encryption
  • Data masking, both static and dynamic with role-based access control to enforce who can see what data
  • Secure data sharing enables powerful multi-party data sharing without compromising privacy
  • Governance and compliance is streamlined for GDPR, CCPA, and modern data privacy regulations

Supported Cloud Platforms:

Watch this demonstration of how Baffle DPS can de-identify data on-the-fly as it is migrated to a cloud data lake and staged in Amazon Redshift

Baffle Data Protection Services

Baffle’s solution simplifies protection of your data in the cloud without requiring any application code modification or embedded SDKs.

Learn More

How it Works

Baffle Data Protection Services

The Baffle Data Protection Service (DPS) provides a transparent data-centric security layer that offers several modes. Capabilities include data de-identification, tokenization, field level encryption, record level encryption, format preserving encryption (FPE), BYOK for SaaS, dynamic data masking, privacy preserving analytics and secure data sharing.

Baffle’s Data Proxy offers a transparent “no code” approach to enable field or row level encryption of data for data pipelines, ETL, file and object storage and modern data stores that rely on HTTP protocols or REST APIs.

The solution appears to applications and clients as the original data store and can transparently intermediate between the application and data structure.  Baffle Data Proxy allows for simplified de-identification of data inside flat files, CSV and other formats to easily de-identify data on-the-fly as it is migrated to the cloud.

These methods support continuous change data capture (CDC) modes and event-based publishing methods to reduce the amount of data pipeline engineering work that your teams need to perform in order to stage data for cloud analytics.

Data Connectors offer support for specific data stores or messaging protocols. Baffle offers connectors for Kafka data streaming, SFTP data transmission, and other protocols to eliminate or minimize application and operational changes and facilitate an on-the-fly method for data protection.

Read the AWS Database Blog on Encrypting Columns Using AWS DMS and Baffle

How Does Baffle Work?

Below are additional resources to learn more, or feel free to Request a Demo to speak with one of our solutions architects. 

Learn more about Baffle’s Data Protection Services here. 

Schedule a live demo with one of our solutions experts to get answers to your questions