Encrypting personally identifiable information (PII) in distributed multicloud environments is a complex endeavor, with enterprise security teams navigating various risk and compliance requirements. IBM claims its new IBM Cloud Security Compliance Center Data Security Broker can reduce those complexities and protect PII at the database field- and file-levels.
The upgraded IBM Cloud Security Compliance Center provides format-preserving encryption (FPE) to protect PII from anyone — including threat actors, cloud providers, and privileged insiders. IBM licensed the data security broker technology used in Cloud Security Compliance Center from Baffle. The database encryption company describes its data security broker as cloud-native software that supports AES-256 encryption, FPE, tokenization, masking, de-identification, and role-based access control.
Baffle’s software provides file and database field security without requiring changes to applications’ code, one of the leading barriers to migrating from on-premises data stores to multicloud. “Every app, every service, every team needs to make those changes, and it is not scalable,” says Nataraj Nagaratnam, an IBM Fellow and CTO of IBM Cloud Security.
“With this mechanism, they don’t need to make those code changes,” he adds. “We understand how to connect to the database based on this policy. We will encrypt or decrypt and tokenize as it goes to the database and comes back.”
The IBM Cloud Security and Compliance Center is embedded in the IBM Cloud management platform.
Current Multicloud Database Protection Approaches
According to a recent Harris Poll commissioned by IBM, 77% of IT and business leaders are implementing hybrid cloud technology to enable their digital transformation initiatives. However, 53% believe an increase in regulations adds to their compliance challenges, while nearly one-third reported that the increased regulations have posed a considerable barrier in their efforts to migrate their workloads to hybrid environments.
Organizations seeking to implement advanced data encryption in transit, a necessity for distributed cloud environments, have alternatives, though Baffle founder and CEO Ameesh Divatia says they all require application development resources or infrastructure changes. Among them are key management systems and hardware security modules from providers such as Thales, Entrust, and HashiCorp.
Another alternative is Intel’s Software Guard Extensions (SGX), which adds confidential computing to servers that run its Xeon Scalable Processors. “That requires a pretty big overhaul of the infrastructure where they have to replace the existing processors with the latest Intel processors and enable these enclaves so that the data inside that processor memory is not visible,” Divatia says. “Ours is a pure software solution. We don’t need any hardware assistance. It is completely portable. And that’s what makes it compelling.”
Building on the existing key management capability of IBM Cloud Security and Compliance Center, Baffle’s data security broker gives customers more control of how sensitive data is encrypted, including who has access to keys.
“Customers can have not only complete control of the keys, which we have been doing for a while, but now they have complete control of the specific sensitive data, and they can be confident in how they manage it,” Nagaratnam says.
Invoking BYOK and KYOK
Baffle’s tool invokes IBM’s Bring Your Own Key (BYOK) and Keep Your Own Key (KYOK) capabilities. Divatia believes IBM is currently the only cloud service provider that can cryptographically guarantee that its administrators can’t see their clients’ data when using its Data Security Broker.
“The keys are controlled by the customer, and the data itself is in their virtual private cloud,” Divatia explains. “The database itself is hosted by IBM, but the contents of the database are encrypted at all times, including when they are being processed.”
Baffle is built to enable modern user-defined functions (UDF) supported in open source databases such as PostgreSQL and MySQL, as well as cloud data services Snowflake and Amazon Redshift. The current implementation of the data security broker from Baffle provided to IBM runs in a PostgreSQL server. “We will continue to expand the database and object store support moving forward,” Nagaratnam says.
IDC group VP for security and trust Frank Dickson says he’s unaware of any comparable offering that currently addresses the expanding slate of risk and compliance requirements. “The complexity of evolving data privacy, sovereignty and compliance standards for organizations is punishing,” Dickson says.
Because every country has different legal frameworks, multinational enterprises can quickly and unwittingly fall out of compliance with new regulatory standards, especially as they migrate sensitive data among hundreds of SaaS applications, as well as various PaaS, IaaS, and on-premises environments, according to Dickson. “The expansion of the IBM Cloud Security and Compliance Center looks to provide multinationals with tools to address the problem,” he says.
Given the cloud migration imperative, Baffle’s Divatia emphasizes the implications of encrypting field-level data when moving from on-premises databases to these distributed multicloud environments. Organizations have historically relied on transparent data encryption (TDE) for on-premises databases. But that only protects data at the infrastructure layer. According to Divatia, TDE doesn’t protect data once it’s extracted from the infrastructure. “Anytime a database is not encrypted at the application layer, you have this vulnerability,” he says.