IBM Security® Guardium® Data Encryption is a family of data encryption and key management software. The modular components are centrally managed through CipherTrust Manager (formerly known as Data Security Manager or DSM), which manages policies, configurations and encryption keys.
IBM Security Guardium Data Encryption consists of a unified suite of products built on a common infrastructure. These highly scalable modular solutions, which can be deployed individually or in combination, provide data encryption, tokenization, data masking and key management capabilities to help protect and control access to data across the hybrid multicloud environment. You can address data security and privacy regulations such as GDPR, CCPA, PCI DSS and HIPAA by employing methods to de-identify data, such as tokenization and data masking, and managing the encryption key lifecycle with secure key generation and automated key rotation.
Guardium can also handle encryption key creation, storage, backup and management.
Request a live demo with an expert for any product in the Guardium portfolio
9 of 9 categories show IBM Security Guardium as a "strong positive", making it an Overall Leader.
58% of organizations say they have around 21% to 50% of cloud-resident sensitive data that's insufficiently secured.
Protect your data wherever it resides and help organizations secure their cloud migration.
Address compliance with strong data encryption, robust user access policies, data access audit logging and key management capabilities.
Centralize encryption and encryption key configuration and policy management through an intuitive web-based interface.
Access DevSecOps-friendly software tools in a solution that is flexible enough to encrypt nearly any type of data passing through an application. Protecting data at the application layer can provide the highest level of security, as it takes place immediately upon data creation or first processing and can remain encrypted regardless of the state—during transfer, use, backup or copy.
This extension to Guardium for File and Database Encryption delivers container-aware data protection and encryption capabilities for granular data access controls and data access logging in containerized environments.
Utilize application-level tokenization and dynamic display security to secure and anonymize sensitive assets whether they reside in the data center, big data environments or the cloud. Because it uses standard protocols and environment bindings, Guardium for Tokenization requires minimal software engineering and can be deployed as an appliance in your virtual format of choice.
Guardium Data Encryption offers capabilities for protecting and controlling access to files, databases and applications across your organization, in the cloud and on premises, for containerized environments, and for cloud storage services.
Guardium Data Encryption allows for granular user access control. Specific policies can be applied to users and groups with controls that include access by process, file type and time of day, among other parameters.
Format-preserving tokenization obscures sensitive data while dynamic data masking obscures specific parts of a data field. Tokenization methods and data masking policies are controlled through a centralized graphical user interface.
Clients can manage data encryption keys for their cloud environments from one browser window. Guardium Data Encryption supports bring your own key (BYOK) lifecycle management that allows for the separation, creation, ownership, control and revocation of encryption keys or tenant secrets.
Regulations such as HIPAA, PCI DSS, CCPA and GDPR require strong data encryption, robust user access policies and key lifecycle management capabilities. Detailed data access audit logging is available to help organizations with compliance reporting.
CipherTrust Manager centralizes the storage, rotation and lifecycle management of all your encryption keys for KMIP-compatible data repositories. KMIP is an industry-standard protocol for encryption key exchange between clients (appliances and applications) and a server (key store).
Learn how encryption can help safeguard your data against threats and address compliance.
Learn how fully homomorphic encryption enables computation and collaboration while preserving privacy.
Find answers quickly in IBM product documentation.
Get centralized visibility, monitoring, compliance, advanced analytics and data source flexibility. Simplify data security and analytics.
Looking to identify shadow data and its movement across applications? Read about the Data Security Posture Management (DSPM) capabilities in Guardium Insights.
Monitor data activity and accelerate compliance reporting for data stored anywhere. Discover and classify data and data sources, monitor user activity, and respond to threats in near real time.
Enable zero-trust based discovery and classification of sensitive and regulated data, wherever it resides, structured or unstructured, at rest or in motion.
Scan your data to detect vulnerabilities. Identify threats and security gaps.
Deliver secured key management with reduced costs and greater operational efficiency. Centralize, simplify and automate encryption key management.
Frequently asked questions
Encryption is the process that scrambles readable text so it can only be read by a person who has access to the encryption key.
Encryption helps protect private information and other sensitive data, whether the host is online or offline, and even in the event of a breach. As long as the encryption key is secured, the encrypted data remains protected against unauthorized users.
Encryption keys are used by the encryption algorithm to “lock” the data during an encoding process such that the data cannot be “unlocked” without access to the encryption key. Encryption keys are generally kept private. Proper key management is a key factor in keeping your data secure.
The loss of any one key can mean that the data it protects will also be lost. It is important to track, manage and protect keys from accidental loss or compromise. Fortunately, Guardium Data Encryption automates and manages the entire encryption key lifecycle.
Tokenization is a form of data protection that retains the same type and length of the original data (such as a credit card number) but replaces it with a bogus equivalent called a token. This approach can be used to retain the format of the original data without incurring the risk of exposure.
Data masking is the general replacement of a character of data with another character of data. An example of masking would be converting 123-45-6789 into ***-**-6789.
The strength of encryption is based on the idea that encrypted data cannot be decrypted without the encryption key. This also means that if the key is intentionally destroyed, the encrypted data can never be decrypted and is effectively made useless. This process is called cryptographic erasure.
An HSM is a computing device or cloud service that generates, secures and manages encryption keys, performs encryption/decryption and other cryptographic functions. It acts as a root of trust for organizations looking for the highest level of security for their encrypted data and encryption keys.