Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle.

While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance your data security, privacy and sovereignty posture.

Why should you consider application-level encryption?

Figure 1 illustrates a typical three-tier application deployment, where the application back end is writing data to a managed Postgres instance.

If you look at the high-level data flow, data originates from the end user and is encrypted in transit to the application, between application microservices (UI and back end), and from the application to the database. Finally, the database encrypts the data at rest using either bring your own key (BYOK) or keep your own key (KYOK) strategy.

In this deployment, both runtime and database admins are inside the trust boundary. This means you’re assuming no harm from these personas. However, as analysts and industry experts point out, there is a human element at the root of most cybersecurity breaches. These breaches happen through error, privilege misuse or stolen credentials and this risk can be mitigated by placing these personas outside the trust boundary. So, how can we enhance the security posture by efficiently placing privileged users outside the trust boundary? The answer lies in application-level encryption.

How does application-level encryption protect from data breaches?

Application-level encryption is an approach to data security where we encrypt the data within an application before it is stored or transmitted through different parts of the system. This approach significantly reduces the various potential attack points by shrinking the data security controls right down to the data.

By introducing ALE to the application, as shown in figure 2, we help ensure that data is encrypted within the application. It remains encrypted for its lifecycle thereon, until it is read back by the same application in question.

This helps make sure that privileged users on the database front (such as database administrators and operators) are outside the trust boundary and cannot access sensitive data in clear text.

However, this approach requires changes to the application back end, which places another set of privileged users (ALE service admin and security focal) inside the trust boundary. It can be difficult to confirm how the encryption keys are managed in the ALE service.

So, how are we going to bring the value of ALE without such compromises? The answer is through Data Security Broker.

Why should you consider Data Security Broker?

IBM Cloud® Security and Compliance Center (SCC) Data Security Broker (DSB) provides an application-level encryption software with a no-code change approach to seamlessly mask, encrypt and tokenize data. It enforces a role-based access control (RBAC) with field and column level granularity. DSB has two components: a control plane component called DSB Manager and a data plane component called DSB Shield, as shown in Figure 3.

DSB Manager (the control plane) is not in the data path and is now running outside the trust boundary. DSB Shield (the data plane component) seamlessly retrieves the policies such as encryption, masking, RBAC and uses the customer-owned keys to enforce the policy with no-code changes to the application!

Data Security Broker offers these benefits:

• Security: Personally identifiable information (PII) is anonymized before ingestion to the database and is protected even from database and cloud admins.
• Ease: The data is protected where it flows, without code changes to the application.
• Efficiency: DSB supports scaling and to the end user of the application, this results in no perceived impact on application performance.
• Control: DSB offers customer-controlled key management access to data.

Help to avoid the risk of data breaches

Data breaches come with the high cost of time-to-address, the risk of industry and regulatory compliance violations and associated penalties, and the risk of loss of reputation.

Mitigating these risks is often time-consuming and expensive due to the application changes required to secure sensitive data, as well as the oversight required to meet compliance requirements. Making sure your data protection posture is strong  helps avoid the risk of breaches.

IBM Cloud Security and Compliance Center Data Security Broker provides the IBM Cloud and hybrid-multicloud with IBM Cloud Satellite® no-code application-level encryption  to protect your application data and enhance your security posture toward zero trust guidelines.