SecuPi for AWS enables seamless Regulatory Compliance, Column Level Encryption & Decryption and Full Sensitive & Customer Data Access Audit, Monitoring & Control for AWS Analytics and Business Applications Lift & Shift.
With data privacy gaining rapidly increasing attention and public awareness, the exponential data growth, alongside the pressure to anonymize and protect more items and privacy regulations evolving, different approaches are required to balance anonymization erosion affect with the hunger for analytics. Being able to protect thousands of columns cannot rely only on legacy encryption tools of the past but must evolve with new, highly efficient anonymization and data protection approaches, which are easy to implement and maintain.
SecuPi data protection software platform for AWS Cloud Analytics and data services platform (e.g., Glue, Redshift, RDS, etc.) discovers, monitors in real-time user activity and anonymizes sensitive data workloads in order to protect and comply with regulations, data cross-border controls and access on “need-to-know” basis while applying customer consent and “right to be forgotten” attributes within days. No changes are required for analytics applications or tools nor for cloud platforms.
SecuPi uses variety of configuration approaches to achieve superior data protection posture on Aamzon Redshift, including self-contained application overlays (Java application instrumentation agents), ODBC/JDBC/Native Driver Bridge and reverse-proxies. Providing variety of options enables to protect both on-prem and on-cloud analytics applications and tools transparently across ingestion workloads (e.g., AWS Glue) and analytics applications (consuming applications “lift & shift” applications) and Web access tools.
SecuPi General Approach to Data Protection
Sensitive and personal columns loaded into the cloud infrastructure can be protected by using a “mix & match” approach that balances between security and operability: few highly sensitive columns can be encrypted at-rest (e.g., credit card and social security number), other less restrictive columns can be encrypted at-use/dynamically masked while the remaining sensitive columns access will be audited, monitored while applying behavior analytics for preventing privilege abuse.
SecuPi Implementation for AWS Cloud Analytics
SecuPi developed a model that is field proven in global, multinational enterprises to protect and anonymize hundreds of thousands of sensitive and personal data items using an intuitive UI and simple configuration of policies, with no code changes, and no risk to the business operations. SecuPi provides a simple process to deliver comprehensive privacy and data protection:
- Policies and Setting Definition: Using SecuPi UI or by maintaining the policies in Excel or 3rd party tools and once finalized, import to SecuPi.
- Privacy Policies Distribution: The defined anonymization policies are automatically distributed to relevant ingestion and all consumption points (installed overlay), analytics applications and tools to immediately take effect.
- Consumption: Users accessing every one of the applications will be identified while a set of anonymization and data protection policies will be applied as defined.
One Protection and Compliance Platform for all AWS tools – SecuPi provides a single platform complying with global privacy compliance regulations (such as CCPA, GDPR, and more.) on all types of AWS Redshift and analytics tools and services. It provides the ability to perform Geo-Fencing, and Deletion (Right to be for forgotten (RTBF and Right of Erasure), while meeting complex retention requirements. The SecuPi application overlays are seamlessly installed across applications, ingestion tools, analytics and other data accessing tools used to consume customers and other sensitive data, deployed in days with no need for application re-coding or any database changes enabling seamless support for regulatory requirements
Column-level encryption and decryption while segregating keys – SecuPi enables to automatically encrypt, redact or dynamically mask data for specified users and processes. It allows organizations to grant sensitive data access on a need-to-know basis and revoke access for users who are not supposed to see the data to perform their job. Data is encrypted at Rest prior to being loaded into AWS while encryption keys segregation is enforced. Upon consumption, SecuPi decrypts the data for authorized users while keeping it beyond reach for unauthorized users
Full Sensitive Customer Data Access Audit, Monitoring and Control – SecuPi combines personal data discovery, data-flow mapping, and real-time activity monitoring to both encrypted and non-encrypted columns, allowing the data subject to know, upon request, where its data is being stored and how its data is being used within the organization. It also integrates with all major SIEM tools to provide a single view including sensitive data activity across all systems with fine-grained audit trails