Privacera has always recognized the importance of protecting enterprise data from security breaches. The ability to encrypt and decrypt data at rest and in motion has been part of Privacera Platform since its inception. Staying true to its open-source heritage, Privacera has extended Apache Ranger’s key management service (KMS) beyond big data to cover cloud services.
Ranger KMS is an open-source cryptographic key management service that was developed to encrypt data in Hadoop data lakes, specifically data in HDFS storage layer. The Hadoop KMS stores encryption keys in a file-based Java KeyStore. Ranger further enhanced the native Hadoop KMS functionality by empowering companies to store keys in a secure database.
Ranger enables centralized administration of the key management server through the Ranger admin portal and provides the ability to create, update, or delete keys using the Web UI or REST APIs. The access policies control permissions to generate or manage keys thereby adding another layer of security. Ranger also provides a full audit trace of all actions performed by Ranger KMS.
Privacera supports both advanced encryption standard (AES) and format-preserving encryption (FPE) formats as part of its encryption solution.
Encryption in Privacera Platform 4.0
In Privacera 4.0, we have taken a major step forward to enhance the encryption capabilities of our platform. Privacera encryption gateway (PEG) is a robust, scalable API gateway that provides flexible mapping schemes — as well as policy-based encryption and decryption using NIST standards-based encryption algorithms, such as AES-128, AES-256, hashing, and Format Preserving Encryption (FPE) — to customers’ sensitive data and personally identifiable information, without the need for manual processes.
PEG significantly lowers the operational burden on infrastructure and security teams as they are not required to install, manage, and update separate encryption/ decryption tools. With Privacera Portal, customers don’t have to worry about upgrading or maintaining PEG as it is managed by Privacera. Companies can simply point their data to the proxy server in order to have it encrypted or decrypted in microseconds.
PEG is a proxy server that exposes REST API calls for encryption and decryption. PEG supports encryption and decryption of data at rest and while it is in motion. With PEG, companies can confidently migrate encrypted data from on-premises data lakes to the cloud and safeguard it against breaches in the cloud until it is ready to be decrypted for analytical purposes. PEG is ideal for data transformations and ETL use cases. Companies can use SparkSQL, Apache NiFi, Apache Kafka, Streamset and other ETL/ ingestion engines as potential data sources for PEG.
A user writes queries against sensitive data, that query is routed through PEG and PEG will:
- Check to see if the user has access to the data and key used for decryption
- Communicate with Apache Ranger to get authorization for the encryption keys
- Decrypt and send the decrypted data back to the user, after receiving the encryption key
- Restrict returning sensitive data back to the user. (For example, if the user is querying SSN, PEG can be configured to only send the last 4 digits back to the user)
Through PEG, we support the entire governance lifecycle from the discovery of sensitive data to classifying and tagging it to building access control policies and then encrypting or decrypting data while it is in motion or at rest. PEG is built on Kubernetes so it is able to scale horizontally based on the number of inputs.
Take a deeper look at Privacera Platform’s new encryption gateway and learn more about how we protect your sensitive data at rest and in motion during our free webinar on December 10, 2020. You can also contact us to schedule a personalized demo.