Enhance your data security posture with a no-code approach to application-level encryption

General

Data
is
the
lifeblood
of
every
organization.
As
your
organization’s
data
footprint
expands
across
the
clouds
and
between
your
own
business
lines
to
drive
value,
it
is
essential
to
secure
data
at
all
stages
of
the
cloud
adoption
and
throughout
the
data
lifecycle.

While
there
are
different
mechanisms
available
to
encrypt
data
throughout
its
lifecycle
(in
transit,

at
rest
and

in
use),
application-level
encryption
(ALE)
provides
an
additional
layer
of
protection
by
encrypting
data
at
its
source.
ALE
can
enhance
your
data
security,
privacy
and
sovereignty
posture.

Why
should
you
consider
application-level
encryption?

Figure
1
illustrates
a
typical

three-tier
application
deployment,
where
the
application
back
end
is
writing
data
to
a
managed

Postgres
instance.


Figure
1:
Three-tier
application
and
its
trust
boundary

If
you
look
at
the
high-level
data
flow,
data
originates
from
the
end
user
and
is
encrypted
in
transit
to
the
application,
between
application
microservices
(UI
and
back
end),
and
from
the
application
to
the
database.
Finally,
the
database
encrypts
the
data
at
rest
using
either
bring
your
own
key
(
or
keep
your
own
key
(
strategy.

In
this
deployment,
both
runtime
and
database
admins
are
inside
the
trust
boundary.
This
means
you’re
assuming
no
harm
from
these
personas.
However,
as
analysts
and
industry
experts
point
out,
there
is
a
human
element
at
the
root
of
most
cybersecurity
breaches.
These
breaches
happen
through
error,
privilege
misuse
or
stolen
credentials
and
this
risk
can
be
mitigated
by
placing
these
personas
outside
the
trust
boundary.
So,
how
can
we
enhance
the
security
posture
by
efficiently
placing
privileged
users
outside
the
trust
boundary?
The
answer
lies
in
application-level
encryption.

How
does
application-level
encryption
protect
from
data
breaches?

Application-level
encryption
is
an
approach
to
data
security
where
we
encrypt
the
data
within
an
application
before
it
is
stored
or
transmitted
through
different
parts
of
the
system.
This
approach
significantly
reduces
the
various
potential
attack
points
by
shrinking
the
data
security
controls
right
down
to
the
data.

By
introducing
ALE
to
the
application,
as
shown
in
figure
2,
we
help
ensure
that
data
is
encrypted
within
the
application.
It
remains
encrypted
for
its
lifecycle
thereon,
until
it
is
read
back
by
the
same
application
in
question.


Figure
2:
Protecting
sensitive
data
with
application-level
encryption

This
helps
make
sure
that
privileged
users
on
the
database
front
(such
as
database
administrators
and
operators)
are
outside
the
trust
boundary
and
cannot
access
sensitive
data
in
clear
text.

However,
this
approach
requires
changes
to
the
application
back
end,
which
places
another
set
of
privileged
users
(ALE
service
admin
and
security
focal)
inside
the
trust
boundary.
It
can
be
difficult
to
confirm
how
the
encryption
keys
are
managed
in
the
ALE
service.

So,
how
are
we
going
to
bring
the
value
of
ALE
without
such
compromises?
The
answer
is
through
a
data
security
broker.

Why
should
you
consider
Data
Security
Broker?

IBM
Cloud®
Security
and
Compliance
Center
(SCC)
Data
Security
Broker
(DSB)
provides
an
application-level
encryption
software
with
a
no-code
change
approach
to
seamlessly
mask,
encrypt
and
tokenize
data.
It
enforces
a
role-based
access
control
(RBAC)
with
field
and
column
level
granularity.
DSB
has
two
components:
a
control
plane
component
called
DSB
Manager
and
a
data
plane
component
called
DSB
Shield,
as
shown
in
Figure
3.


Figure
3:
Protecting
sensitive
data
with
Data
Security
Broker

DSB
Manager
(the
control
plane)
is
not
in
the
data
path
and
is
now
running
outside
the
trust
boundary.
DSB
Shield
(the
data
plane
component)
seamlessly
retrieves
the
policies
such
as
encryption,
masking,
RBAC
and
uses
the
customer-owned
keys
to
enforce
the
policy
with
no-code
changes
to
the
application!

Data
Security
Broker
offers
these
benefits:


  • Security    :
    Personally
    identifiable
    information
    (PII)
    is
    anonymized
    before
    ingestion
    to
    the
    database
    and
    is
    protected
    even
    from
    database
    and
    cloud
    admins.

  • Ease    :
    The
    data
    is
    protected
    where
    it
    flows,
    without
    code
    changes
    to
    the
    application.

  • Efficiency    :
    DSB
    supports
    scaling
    and
    to
    the
    end
    user
    of
    the
    application,
    this
    results
    in
    no
    perceived
    impact
    on
    application
    performance.

  • Control    :
    DSB
    offers
    customer-controlled
    key
    management
    access
    to
    data.

Help
to
avoid
the
risk
of
data
breaches


Data
breaches
come
with
the
high
cost
of
time-to-address,
the
risk
of
industry
and
regulatory
compliance
violations
and
associated
penalties,
and
the
risk
of
loss
of
reputation.

Mitigating
these
risks
is
often
time-consuming
and
expensive
due
to
the
application
changes
required
to
secure
sensitive
data,
as
well
as
the
oversight
required
to
meet
compliance
requirements.
Making
sure
your
data
protection
posture
is
strong 
helps
avoid
the
risk
of
breaches.


IBM
Cloud
Security
and
Compliance
Center
Data
Security
Broker
provides
the
IBM
Cloud
and
hybrid-multicloud
with
IBM
Cloud
Satellite®
no-code
application-level
encryption 
to
protect
your
application
data
and
enhance
your
security
posture
toward

zero
trust
guidelines.

Get
started
with
IBM
Cloud®
Data
Security
Broker
today

Was
this
article
helpful?


YesNo

Architect,
Cloud
Security
Services

You might also like More from author

Comments are closed.