What to Ask Your Encryption/Tokenization Technology Provider
It is essential to ask a technology vendor about the realities of using the tool they offer. Just like before buying the 30th floor penthouse with an ocean view, it is important to check beforehand if there is an elevator to get there! Choosing an #encryption solution is a major decision and it is important to make sure you have the means to get your data encrypted efficiently and cost-effectively.
The first question you must ask your encryption vendor is:
How am I going to integrate encryption/tokenization into my databases and applications?
Legacy encryption tools provide you with three options:
- UDF (User-Defined Functions); you need to change your data source by defining functions on each encrypted column. Then you need to create views for your authorized users that will invoke the function when reading data. Lastly, you need to change your reports and application calls to query the newly created views and not the base tables. This needs be done for EVERY column you decide to encrypt, involving both your DBAs (creating functions and views) and your developers (changing their application code to call the new views).
- SDK: calling an encryption/decryption API. This is required for every application that is interacting with your data source. You need to map all application calls to every encrypted column and have your developers modify it to decrypt (for read operation) or encrypt (for write operation).
- HTTP/Rest API Gateway: parsing all your HTTP traffic, identifying all calls that read encrypted data and apply a decryption function. The HTTP gateway needs endless configuration for every new payload or when the parser does not identify correctly the HTTP traffic and encrypts or does not encrypt the data – easily creating data corruption.
Selling Encryption without establishing realistic expectations for the implementation issues is the reason the majority of encryption implementation project do not fully meet their original goals. Projects end up either only implementing encryption for a very few columns while all other sensitive columns are left in clear, or limiting use of encryption to only on application while all other applications are not protected.
“How can I find the Elevator?”
When I founded SecuPi, after inventing Dynamic Masking (acquired by Informatica), it was clear to me that an efficient and cost-effective means of implementation would be critical to our customers.
Fundamental to achieving this outcome is the ‘No Code’ approach that SecuPi provides. With SecuPi, there is no coding to APIs, no changing of database schema, no coding and maintaining of views, and so on.
Our solution follows the recently published NIST Zero Trust Architecture Publication 800-207 as well as the Zero Trust Reference Architecture, published by the Department of Defense and Prepared by the National Security Agency (NSA) & Defense Information Systems Agency (DISA).
Both refer to an architecture that includes a Policy Definition Point (PDP) and self-contained Policy Enforcement Points (PEP) that are deployed as no-code agents on the applications or transparent data-source gateways (not HTTP gateways as referred to before).
Writeen by: Alon Rosenthal, CEO & Co-founder, SecuPi