Introducing IBM Cloud Data Security Broker.

The global average cost of a data breach in 2022 was USD 9.44 million, not to mention the reputational impact that these breaches could cause. To protect consumers’ privacy, regulatory requirements around the world are significantly evolving around data security (e.g., Schrems II in Europe, State-level Privacy Acts in the US). Given such a risk and compliance landscape, sensitive data protection has become a business imperative for organizations looking to modernize their applications to cloud.

Enterprises use encryption to protect data at rest—at the operating system, file system and even database. But they are still struggling to answer questions like: How can they encrypt personally identifiable information (PII) like a social security number? Or mask personal health information (PHI)? Or de-identify such data when using analytics and AI? And how can they do that at scale so that not every application accessing this encrypted data requires change, and not every application developer becomes a security expert?

What is IBM Cloud Data Security Broker?

Clearly, a modern cloud solution is required that addresses these needs – where businesses can encrypt, mask, de-identify or tokenize sensitive data (without changing application code). This is why we are introducing IBM Cloud Data Security Broker.

IBM Cloud Data Security Broker is a cloud security solution that can be used to achieve field-level encryption, masking and tokenization. It is based on innovative architecture where a ‘broker’ sits in between an application and data store to achieve data security seamlessly. It provides a data-centric protection layer allowing customers to tokenize, encrypt and mask data at the column or row level. This is achieved without any application code modifications while supporting customer-managed encryption keys—either a Bring Your Own Key (BYOK) or Keep Your Own Key (KYOK) model.

Security teams can centrally define the granular application encryption policies and manage keys. Developers can seamlessly integrate applications with data stores, even if those sensitive fields are encrypted. It allows IT teams to deploy these application architectures on hybrid multicloud; on IBM Cloud or in any other cloud provider through an IBM Cloud Satellite deployment pattern. It also enables data and analytics teams to access data without compromising privacy:

Data Security Broker consists of two major components:

  • Data Security Broker Manager: Centralized administrative console for configuration and management of data protection policies.
  • Data Security Broker Shield: A reverse proxy technology that is in the customer’s control and performs encryption, decryption, tokenization, masking and access control functions for each data source.

The primary benefits include the following:

  • On-the-fly encryption, de-identification, masking or tokenization of data in the cloud
  • “No-code” deployment that does not require application changes
  • Fast, scalable and unintrusive to data throughput
  • Role-based data access control to dynamically enforce who can see what data
  • A consolidated suite of data protection capabilities like encryption, tokenization, dynamic data masking, Format Preserving Encryption (FPE), field and record level encryption, file and object encryption and secure data sharing
  • Customers can manage and control their encryption keys with Bring Your Own Key (BYOK) and Keep Your Own Key (KYOK) models
  • Automated cloud deployment patterns

Get started

IBM Cloud Data Security Broker is now available as Beta in IBM Cloud with support for PostgreSQL databases. It integrates with IBM Cloud Hyper Protect Crypto Services and Key Protect for customer-managed keys. This innovative and elegant solution is made possible in close collaboration with Baffle’s proven technology.


More from Announcements

IBM TechXchange underscores the importance of AI skilling and partner innovation

3 min read - Generative AI and large language models are poised to impact how we all access and use information. But as organizations race to adopt these new technologies for business, it requires a global ecosystem of partners with industry expertise to identify the right enterprise use-cases for AI and the technical skills to implement the technology. During TechXchange, IBM's premier technical learning event in Las Vegas last week, IBM Partner Plus members including our Strategic Partners, resellers, software vendors, distributors and service…

Introducing Inspiring Voices, a podcast exploring the impactful journeys of great leaders

< 1 min read - Learning about other people's careers, life challenges, and successes is a true source of inspiration that can impact our own ambitions as well as life and business choices in great ways. Brought to you by the Executive Search and Integration team at IBM, the Inspiring Voices podcast will showcase great leaders, taking you inside their personal stories about life, career choices and how to make an impact. In this first episode, host David Jones, Executive Search Lead at IBM, brings…

IBM watsonx Assistant and NICE CXone combine capabilities for a new chapter in CCaaS

5 min read - In an age of instant everything, ensuring a positive customer experience has become a top priority for enterprises. When one third of customers (32%) say they will walk away from a brand they love after just one bad experience (source: PWC), organizations are now applying massive investments to this experience, particularly with their live agents and contact centers.  For many enterprises, that investment includes modernizing their call centers by moving to cloud-based Contact Center as a Service (CCaaS) platforms. CCaaS solutions…

See what’s new in SingleStoreDB with IBM 8.0

3 min read - Despite decades of progress in database systems, builders have compromised on at least one of the following: speed, reliability, or ease. They have two options: one, they could get a document database that is fast and easy, but can’t be relied on for mission-critical transactional applications. Or two, they could rely on a cloud data warehouse that is easy to set up, but only allows lagging analytics. Even then, each solution lacks something, forcing builders to deploy other databases for…