Strengthen your data security posture with a no-code approach to application-level encryption.
Data is the lifeblood of any organization. As an organization’s data footprint expands and creates value across the cloud and across business lines, it is essential to protect data at all stages of cloud adoption and throughout the data lifecycle.
There are a variety of mechanisms available to encrypt data throughout its lifecycle (in transit, at rest, and in use), but Application Level Encryption (ALE) provides an additional layer of protection by encrypting data at source. ALE can strengthen data security, privacy, and sovereignty.
Why should you consider application-level encryption?
Figure 1 shows a typical three-tier application deployment where the application backend writes data to a managed Postgres instance.
Looking at the high-level data flow, data is encrypted as it travels from the end user to the application, between application microservices (UI and backend), and from the application to the database. Finally, the database uses a bring-your-own-key (or keep-your-own-key) strategy to encrypt data at rest.
In this deployment, both the runtime manager and the database manager are within the trust boundary. This means that we assume no harm is caused by these personas. But as analysts and industry experts point out, there is a human element to the root cause of most cybersecurity breaches. These breaches occur through errors, misuse of permissions, or stolen credentials, and placing these personas outside of the trust perimeter can mitigate these risks. So how can you strengthen your security posture by effectively placing privileged users outside of the trust boundary? The answer lies in application-level encryption.
How does application-level encryption protect against data leaks?
Application-level encryption is an approach to data security that encrypts data within an application before it is stored or transmitted through other parts of the system. This approach reduces data security controls down to the data, significantly reducing the variety of potential attack surfaces.
By introducing ALE into your application, as shown in Figure 2, you can ensure that data is encrypted within your application. It remains encrypted throughout its life cycle until it is read again by the same application in question.
This helps ensure that privileged users on the front end of the database (such as database administrators and operators) cannot access sensitive data outside of the trust boundary and in plain text.
However, this approach requires changes to the application backend, which requires placing a different set of authorized users (ALE service administrator and security focus) within the trust boundary. It can be difficult to determine how encryption keys are managed in ALE services.
So how can you bring the value of ALE without making such compromises? The answer is through data security brokers.
Why should you consider a data security broker?
IBM Cloud® Security & Compliance Center (SCC) Data Security Broker (DSB) provides application-level encryption software with a no-code approach to seamlessly mask, encrypt, and tokenize data. Enforce role-based access control (RBAC) with field- and column-level granularity. DSB has two components: a control plane component called DSB Manager and a data plane component called DSB Shield, as shown in Figure 3.
The DSB manager (control plane) is not in the data path and is currently running outside the trust boundary. DSB Shield (a data plane component) seamlessly discovers policies such as encryption, masking, and RBAC and uses customer-owned keys to enforce them without any code changes to your application!
A data security broker offers the following benefits:
- security: Personally identifiable information (PII) is anonymized before being collected in the database and is also protected from database and cloud administrators.
- facility: Data is protected where it flows without changing the application’s code.
- efficiency: DSB supports scaling and there is no impact on application performance for end users of the application.
- control: DSB provides customer-controlled key management access to data.
Helps prevent data leak risks
Data breaches carry high costs in resolution time, risk of industry and regulatory compliance violations and associated penalties, and risk of reputational damage.
Mitigating these risks is often time-consuming and costly due to the application changes required to protect sensitive data and the oversight required to meet compliance requirements. Maintaining a strong data protection posture will help prevent the risk of a breach.
IBM Cloud Security and Compliance Center Data Security Broker provides IBM Cloud and hybrid multicloud with IBM Cloud Satellite® no-code application-level encryption to protect application data and strengthen your security posture for Zero Trust guidelines.
Get started with IBM Cloud® Data Security Broker today
Was this article helpful?
yesno