Transparent Encryption Proxy: The Gibberish Ninja

Published:Jul 20, 2022
Reading Time:4 Minutes
thumbnail

What's the fuss about?

It isn't shocking that enterprises worldwide want to eliminate the risk of exposing sensitive data to the wrong person. Often, data needs to be secured, not just to prevent misuse but also to comply with data protection regulations. For the longest time, enterprises have been treating data like Princess Rapunzel, keeping it away in a secluded high tower, guarded by complex security firewalls so that others cannot exploit its magical power. Sadly, this is never the best solution.

Fortanix Transparent Encryption provides a solution that not only helps with data protection and governance but also ensures data integrity and access management. In his book Small Gods, Terry Pratchett, UK's bestselling author in the nineties, wrote: "The trouble was that he was talking in philosophy, but they were listening in gibberish." While we at Fortanix can swear that he wasn't referring to our transparent encryption proxy, we may or may not have drawn a fair bit of inspiration. The fundamental and driving principle is as simple: While an application generates philosophy (read sensitive, confidential data), the database stores gibberish (encrypted data).

Transparent Encryption encrypts data on the fly before it hits the persistence layer, thereby restricting access to the plaintext to all, including system administrators and DBAs. Sensitive data generated by an application is automatically encrypted at run-time before it reaches any other applications. Access to this confidential data can only be channelized through applications demonstrating legitimate permissions. Data access policies are centrally managed based on the enterprise's data governance standards and compliance policies. Fortanix solution for Transparent encryption is an add-on capability that runs inside Fortanix Data Security Manager (DSM). Illustrated below is a sample workflow. The database and applications communicating with TEP (Transparent Encryption Proxy) could be anything that is hosted on-prem or on-cloud, distributed or centralized. The magic lies in supporting a heterogenous and diverse application and technology stack, ease of operation, and security.

What's in it for me?

Searchable encryption:

The functionality of searchable encryption needs a proper balance of confidentiality, performance, and usability, which gets complex as databases get more specialized. Searchable encryption aims to enable the authorized user or client application to retrieve requested data without decrypting the data on the database side or in the backend. While there is no universal, perfect, one-size-fits-all approach without a performance or functionality tradeoff, Fortanix's searchable encryption solution with TEP enables applications to efficiently retrieve structured data based on encrypted search.

Data Governance of sensitive data:

Data governance is soaring to new heights as a top business imperative. From digitalization in traditional industries like supply chain, manufacturing, and transportation to the "sweep-you-off-your-feet" dating going the Tinder way, new avenues of data generation are everywhere. Privacy of sensitive and PII (Personally Identifiable Information) data and its governance has become a supreme objective for companies. TEP helps safeguard data even before the data enters your eco-system, thereby easing the data governance process and giving data stewards the much-needed respite.

Scalability and performance:

With other remarkable solution components like Fortanix Data Security Accelerator™ (DSA), large-scale cryptographic operations can be achieved without significant performance overhead. This enables the adoption of the solution at a large scale in a productionable environment. Fortanix Data Security Manager Accelerator™ (DSMA) has the potential to support the high throughput of query transactions with the database.

Extended Run-time confidentiality with Fortanix CCM (Confidential Computing Manager):

While transparent data encryption (TDE) enables data protection at rest, the security and confidentiality can be extended to run-time by running the database interactions in a trusted execution environment (TEE). With Run-time confidentiality with secure enclaves, the encryption and decryption of sensitive data is safeguarded from susceptible memory scraping attacks.

Secure, confidential AI (Artificial Intelligence) & ML (Machine Learning) with CAI (Confidential AI):

The solution can be packaged within Fortanix Confidential AI™ (C-AI) to support anonymous query submission by a data analyst, using database resources that are configured as C-AI datasets. Coupled with the powerful features of Fortanix C-AI, the solution facilitates running AI & ML models in confidential compute on encrypted data.

Transparency and reusability:

Cryptographic functions are detached from the business application. Application code does not have to manage keys or implement cryptographic functions. The applications stay unchanged. So do the upstream services that consume data/inputs from these applications.

Data Migration:

More and more organizations want to tap into the emergence of the cloud and migrate legacy on-premises data to the cloud either in cloud-hosted database or data stores or SaaS (software as a service) based data warehouses. However, outsourcing sensitive data into the cloud leads to privacy and compliance-related regulations. Due to Regulatory requirements, lack of Digital Trust on cloud providers, and/or the lack of visibility of data-security protocols for on-cloud data, organizations feel the need for encryption of all or selective sensitive data in the databases. Encrypting the data before outsourcing provides privacy, confidentiality and enhances security. Transparent Encryption Proxy and the Fortanix Data Security Manager Accelerator provide scalable and performance-optimized data migration of legacy data while providing dynamic cryptographic power.

What's the take-away?

Searchable encryption enables applications to securely outsource and store data using cryptographic operations while preserving the capability to selectively search through it. When deployed on the cloud, it allows querying encrypted data without compromising security and worrying about data leakage. It facilitates a Zero-trust approach where data gets de-identified right at the source and with role-based access control, is only available to authorized and intended recipients.

If you ask me, it's just the subtle art of being an orange, in a world full of lemons.

Share this post: