The global average cost of a data breach in 2022 was USD 9.44 million, not to mention the reputational impact that these breaches could cause. To protect consumers’ privacy, regulatory requirements around the world are significantly evolving around data security (e.g., Schrems II in Europe, State-level Privacy Acts in the US). Given such a risk and compliance landscape, sensitive data protection has become a business imperative for organizations looking to modernize their applications to cloud.
Enterprises use encryption to protect data at rest—at the operating system, file system and even database. But they are still struggling to answer questions like: How can they encrypt personally identifiable information (PII) like a social security number? Or mask personal health information (PHI)? Or de-identify such data when using analytics and AI? And how can they do that at scale so that not every application accessing this encrypted data requires change, and not every application developer becomes a security expert?
What is IBM Cloud Data Security Broker?
Clearly, a modern cloud solution is required that addresses these needs – where businesses can encrypt, mask, de-identify or tokenize sensitive data (without changing application code). This is why we are introducing IBM Cloud Data Security Broker.
IBM Cloud Data Security Broker is a cloud security solution that can be used to achieve field-level encryption, masking and tokenization. It is based on innovative architecture where a ‘broker’ sits in between an application and data store to achieve data security seamlessly. It provides a data-centric protection layer allowing customers to tokenize, encrypt and mask data at the column or row level. This is achieved without any application code modifications while supporting customer-managed encryption keys—either a Bring Your Own Key (BYOK) or Keep Your Own Key (KYOK) model.
Security teams can centrally define the granular application encryption policies and manage keys. Developers can seamlessly integrate applications with data stores, even if those sensitive fields are encrypted. It allows IT teams to deploy these application architectures on hybrid multicloud; on IBM Cloud or in any other cloud provider through an IBM Cloud Satellite deployment pattern. It also enables data and analytics teams to access data without compromising privacy:
Data Security Broker consists of two major components:
Data Security Broker Manager: Centralized administrative console for configuration and management of data protection policies.
Data Security Broker Shield: A reverse proxy technology that is in the customer’s control and performs encryption, decryption, tokenization, masking and access control functions for each data source.
The primary benefits include the following:
On-the-fly encryption, de-identification, masking or tokenization of data in the cloud
“No-code” deployment that does not require application changes
Fast, scalable and unintrusive to data throughput
Role-based data access control to dynamically enforce who can see what data
A consolidated suite of data protection capabilities like encryption, tokenization, dynamic data masking, Format Preserving Encryption (FPE), field and record level encryption, file and object encryption and secure data sharing
Customers can manage and control their encryption keys with Bring Your Own Key (BYOK) and Keep Your Own Key (KYOK) models
Automated cloud deployment patterns
IBM Cloud Data Security Broker is now available as Beta in IBM Cloud with support for PostgreSQL databases. It integrates with IBM Cloud Hyper Protect Crypto Services and Key Protect for customer-managed keys. This innovative and elegant solution is made possible in close collaboration with Baffle’s proven technology.