For years, data teams worked with simple data pipelines. These generally consisted of a few applications or data feeds that converged into a standard extract, transform, and load (ETL) tool that fed data into a centralized data warehouse. From that warehouse, data was sent to a set number of places, like a reporting tool or spreadsheets. As a result, data protection was relatively straightforward. There simply was not as much data to protect, and the locations of the data were limited.
But there were definite drawbacks to this “simpler” time, like unchecked data access. It was much easier for those who shouldn’t see data, like database administrators (DBA) and data warehouse teams, to access it in cleartext. Further, few regulations covered how to protect that data.
Today, things are much different, especially for companies in regulated industries like financial services and healthcare. Government regulations, like the General Data Protection Regulation (GDPR) in the EU, the California Privacy Rights Act (CPRA), and the many other data privacy laws in the US, make data security a concern for nearly every organization. Data is an organization’s most valuable non-human asset, and compliance mandates outline strict guidelines for how companies must protect regulated data wherever it goes.
Data teams face serious challenges
According to Gartner, the data of 75% of the world’s population will be covered by modern privacy regulations by the end of 2024. But even as more companies become subject to these compliance mandates, 55% of sensitive data in the cloud is not protected by encryption, and only 45% is encrypted. Those are alarming numbers, considering the fines organizations face for not encrypting data.
Why do companies leave data unencrypted? One reason is that data teams need to perform operational and analytical computations on the data, but simple encryption does not allow these types of operations. Something as simple as sorting data is impossible when it’s encrypted. Many data teams need cleartext access to run valuable data computations, which can be a compliance issue.
Data teams also face data sprawl. Not only is data being generated in more places than ever before, but it is being used in more places. Modern teams use a variety of tools—SQL and NoSQL databases, warehouses and data lakes, streaming platforms, Tableau, Power BI, APIs, etc.—to transport, integrate, query, analyze, visualize, and prepare data for other data consumers, leading to more places data needs to be protected.
A single column of Social Security numbers in a database may have to be protected in hundreds—even thousands—of ways. Continuous compliance is a near-impossibility without data-centric protection.
Data protection solutions fall short
While many excellent data protection solutions are available on the market, each has shortcomings that prevent teams from maintaining compliance while extracting maximum ROI from data.
- Confidential computing requires hardware and significant storage space, leaving little flexibility in designing a system, and no ability to perform distributed computing. And it allows database administrators to have cleartext access to regulated data.
- Application access control is effective until data moves to another system where access control is lost. This is costly as every time data is moved, more work is needed to maintain compliance.
- Homomorphic encryption allows encrypted computation, but creates performance concerns when data is accessed and read. It also requires a lot of storage with additional cost and maintenance. And it only covers a subset of protections, depending on the type of homomorphic encryption.
Baffle Advanced Encryption was designed to overcome the last barriers to adopting encryption for analytics. It provides data-centric protection without the use of special hardware. It supports any and all operations on encrypted data while maintaining high performance. Its role-based access control reduces the number of people with access to cleartext data, ensuring that you comply with all compliance regulations.
How Baffle Advanced Encryption works
Baffle Advanced Encryption is an enterprise-level, transparent data security platform that secures databases via a “no code” model at the field or file level. Baffle provides a set of privacy-enhanced technologies that enable analytical and operational computations on protected, regulated data.
Data teams use the Baffle Manager to create a proxy called Baffle Shield that protects data. Baffle Advanced Encryption is a PostgreSQL database plug-in (or extension) that supports all encrypted data operations. Baffle protects data exiting the data source, such as reports, spreadsheets, exported datasets, and SQL queries.
Baffle Advanced Encryption offers role-based access control to determine who has cleartext access. No one can see data in cleartext—not even DBAs, depending on your access controls. Also, Baffle requires no application changes, and the solution integrates with key management systems, so organizations own all encryption keys, adding a further layer of security.
Here’s a more detailed look at how Baffle Advanced Encryption works:
- A data team member has an application, report, or SQL query that they run against the database.
- Baffle Shield intercepts the query, determines whether it is protected data, and determines access control rules for the dataset. If it’s a protected column, Baffle Shield rewrites and transforms the query, based on the role-based access controls defined by the organization.
- If the operation requires computation on an encrypted column, Baffle Shield recognizes this operation and sends the data to the Baffle Advanced Encryption database extension.
- The Baffle Advanced Encryption extension performs calculations on the encrypted data and sends the results back to the Baffle Shield.
- Baffle Shield sends results back to the application and, depending on the role-based access controls, returns data either encrypted or in cleartext.
No matter how it is used, data is always encrypted, allowing organizations to perform computations and share the results within and outside the organization without compromising performance or incurring the risk of non-compliance. This means you can perform business-critical functions without putting the company or consumer at risk.
Encryption for the enterprise
Unlike other privacy-enhanced computation technologies, Baffle Advanced Encryption is a software-based approach to confidential computing, representing a pragmatic balance among security, speed of deployment, flexibility, and cost. It is a modular, easy-to-implement solution that does not require application code changes.
Further, Baffle Advanced Encryption fits into more extensive data security programs in the following ways:
- Protects data at rest and in use while maintaining the utility of data
- Allows for implementation into organization-specific data protection policies
- Provides logs for compliance reporting
- Meets PCI DSS 4.0 requirements for credit card data
- Enables compliance with privacy regulations like GDPR and CPRA
- Integrates with other data security management tools
As organizations strive to take advantage of data analytics, data sharing, and AI, they must do so in a manner that protects consumer data. Having data-centric tools that protect data in the many ways they use the data is paramount to maintaining market differentiation. Baffle Advanced Encryption offers unlimited data usage while reducing the risk of non-compliance.
Laura Case is director of product management at Baffle.
—
New Tech Forum provides a venue for technology leaders—including vendors and other outside contributors—to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to doug_dineley@foundryco.com.