Thales Blog

Can You Shift Sensitive Data Beyond the Datacenter?

April 5, 2022

Robert Masterson Robert Masterson | Senior Partner Marketing Manager More About This Author >

Protecting Privacy in a Multi-Cloud Environment

Today’s enterprise data landscape may appear to have some opposing pressures. The push for corporate cost cutting and IT efficiency can drive data migration to the cloud (and multi-cloud). The recent growth of data stored with cloud service providers shows this. At the same time, this relocation of applications and data to public clouds has increased the need for security and data protection – in a sense going back to the days when everything was stored within an enterprise’s data center. Can IT manage these opposing pressures?

To the Cloud

Without a doubt, public cloud and multi-cloud deployments have demonstrated great advantages. xAAS delivery of everything from compute cycles to terabytes of storage can expand an enterprise reach while delivering saving in capital expenditures. But with this ‘erasing’ of the corporate perimeter, an increase risk of data breaches and loss of privacy have followed.

Thankfully, regulatory requirements and industry-leading data protection organizations have all developed guidelines and solutions to address this paradigm. These solutions now offer ways to ensure the data stored in the cloud is protected.

Privacy Behind a Mask

Following this trend, SAP applications are migrating to the public cloud and offering integrated data protection to their enterprise resource planning (ERP), HR, and Finance solutions. Recognizing that SAP workloads frequently include personally identifiable information, or PII, SAP has partnered with Thales to integrate Thales CipherTrust Tokenization into their Data Custodian application environment.

Tokenization offers the ability to mask sensitive data at the field level, before it is written to the HANA database, ensuring only authorized users see PII. With policies that control which users can see PII, anyone else accessing the database will only see masked, or scrambled, data instead of the original data. Since the masked data retains the original formatting, developers can even use the production database (masked) as they integrate their applications with the database.

What About All Those Keys?

At the heart of data protection are the keys used to encrypt the data. Whether they are cloud-native keys or closely-held on-premises keys, these keys are needed every time a piece of data is encrypted or decrypted. Across a large SAP deployment this can be thousands of times a day - the solution requires simplified management of these keys.

To answer this, Thales CipherTrust Cloud Key Manager also supports SAP Data Custodian. By adding CipherTrust Cloud Key Manager, highly-regulated customers can externally root their cloud-native encryption keys, or generate their own encryption keys to be used by SAP applications running in the public cloud. In addition, since CipherTrust Cloud Key Manager supports multiple cloud environments, the management of the encryptions keys across these environments adds ‘single pane of glass’ simplicity.

Stay in Control

Data Protection in the cloud done right must include sovereignty. Best practices state that corporations migrating workloads to the public cloud should be in control the encryption keys used to protect their data.

What is sovereignty? Sovereignty provides assurances that the enterprise that owns the data are the only entity that can access it. In a public cloud deployment, this ensures that unauthorized users, hackers, or even the Cloud Service Provider (CSP) themselves, cannot decrypt and access the private data.

Using a Bring Your Own Key (BYOK) design, the primary encryption keys, sometimes referred to Key Zero, or ‘the keys to the kingdom’, remain on-premises and in your control. As needed, CipherTrust Cloud Key Manager provides it to SAP Data Custodian to perform the encrypt/decrypt processes, but these keys are never stored in the cloud with the data.

In Summary

Considering the sensitivity and privacy of data stored in SAP HANA and other SAP applications, what’s needed is a cloud data migration strategy that offers reliable and simplified data protection, while providing the digital sovereignty needed for compliance and peace of mind. The combination of Thales CipherTrust Cloud Key Manager and CipherTrust Tokenization with SAP applications offers solutions that can close the paradigm gap. Leave the data center while maintaining security and sovereignty.

Explore these two solution briefs on CipherTrust Tokenization for SAP Applications and CipherTrust Cloud Key Manager for SAP Applications, to learn why this combination is the right one for your organization.