Air-Locks for addressing Data Sharing and Sovereignty Requirements

Snowflake, Redshift and BigQuery Air-Locks for addressing Data Sharing and Sovereignty Requirements

Mature deployments of Cloud analytics environments at regulated organizations include critical data, from personal customer, employee and IP data.
Both the Cloud cross-grained encryption and the Cloud analytics column-level encryption are not sufficient to address the requirements of Segregation of Duties (SoD) by Cloud Accounts Admins, as well as the need to control access to the clear-text data on a need-to-know basis, taking into consideration the location, citizenship, device, purpose and consent of the data subject.

The usage of decrypting critical data using External Functions on encrypted columns in every Cloud analytics platform requires changing the schema, creating views and managing access to the views based on various attributes – which is cumbersome, requires administration and cannot scale – as more columns need to be protected while taking more attributes (ABAC) into consideration that are not available in the creation of the decryption views.

In addition, External Functions can be invoked by the Cloud Account Admins, eroding SoD posture and are returning the clear-text data back to the Cloud analytics platform – which would not serve the purpose of the law.

SecuPi has partnered with all Cloud Analytics platforms to deliver Air-Locks that will enforce full SoD, ensure clear-text data is NEVER available in the platform while decrypting it at the edge/in Country, meeting data sharing and Sovereignty requirements.

Our centralized Policy Definition (PDP) control plain and self-contained, distributed Air-Locks (Policy Enforcement Points – PEPs), installed in various locations enforce fine-grained Access Control based on all required attributes before critical data is re-Identified.