Fortanix Data Security Manager (DSM) Overview
Fortanix Data Security Manager (DSM) is the world’s first cloud solution secured with Intel® SGX. With DSM,
you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as
passwords, API keys, tokens, or any blob of data.
Transparent Encryption Proxy Overview
Business Requirement
In the age of global digital transformation, application ecosystem has become more fragmented than ever before. Microservices, Kubernetes, cloud-native applications, IoT, mobile etc. have made the applications not only transient, but also heterogenous in terms of languages they are written in and platforms they run on.
Off course, regardless of the technology or platform these applications belong to, if these applications need to comply with PCI-DSS, GDPR, CCPA and other data protection regulations, then data these applications are generating must be encrypted. However, that poses a challenge:
How to transparently encrypt data these applications are generating without any application code change?
Fortanix Solution
Fortanix offers a modern, application and cloud agnostic solution that enables businesses to transparently encrypt data in real time, in-flight with a high throughput. Here is a brief overview of Transparent Encryption Proxy (TEP) solution.
- Allows applications to encrypt/decrypt data dynamically by ingesting data in any form (binary files, strings, excel, JSON, word etc.).
- Identification and de-identification of data happens securely inside Fortanix Data Security Manager (DSM).
- All applications requesting de-identification of data will either send a schema along with the API call or will need to configure or store a schema beforehand in DSM. This de-identification schema will basically call-out all the data types that need to be de-identified.
- Transparent Encryption Proxy (TEP) will internally know how to parse the input files and identify one or more strings in the file that will map to one or more of these data types and de-identify those strings accordingly using Format Preserving Encryption (FPE). All applications can have same or unique de-identification schema.
High Level Architectural Steps
- SaaS or any on-premises application will request encrypt/decrypt operations via an API call to the TEP which is based on NGINX, TEP’s design preserves underlying NGINX capabilities.
- All encrypt/decrypt operations will be performed by the DSM at request of TEP (Refer to the below diagram).
- TEP will unzip the file if needed, decode & identify the fields / data to be deidentified per schema and only those fields will be sent to DSM for encryption.
- TEP will request decryption operations from DSM without requiring a schema. Again, only fields / data to be decrypted will be sent to DSM for decryption.
- TEP supports role-based access control of users in DSM and DSM can be integrated with Active Directory or SSO.
- Fortanix DSM provides centralized management of the applications to integrate with and configure on which fields to monitor with automated provisioning of configuration to TEP.