For many new and evolving applications, the DevOps team will face a challenge: protect data for web services-based applications without access to the application and database or data store. In addition, deployment architectures, including containers and cloud-scalability solutions (e.g. Kubernetes and Helm), demand data protection solutions offering compatible architecture for cloud-first initiatives.
To meet these challenges, CipherTrust Data Protection Gateway (DPG) from Thales offers transparent data protection to any RESTful web service or microservice leveraging REST APIs. DPG is deployed between the client and web service and transparently protects sensitive data inline without modifying legacy or cloud native applications. DPG interprets RESTful data and performs data protection operations based on policies defined centrally in Thales’s CipherTrust Manager and operates seamlessly with other pod-supporting services.
By moving the complexity of data protection into CipherTrust Manager, DPG offers true separation of duties in a DevSecOps world:
- DevOps orchestrates deployment of DPG
- "Sec" creates protection and access policies
- Together, DevSecOps configures each deployment of DPG
DPG also offers granular access controls through policies defined in CipherTrust Manager offering dynamic data masking features. In addition, access policies allow you to define “per user” how the data will be revealed:
- Error replacement value (return nothing or predefined value)
- Masked (first 4, last 4, custom, etc.)
CipherTrust data protection gateway architectural overview diagram
Cloud-ready and cloud-scale
DPG is deployed as a container and is fully compatible with Kubernetes orchestration systems such as Helm, Ansible, Terraform and Kubernetes horizontal scaling. DPG can be deployed as a standalone container for legacy production deployments in addition to development and testing use cases.
DPG is one of several application-layer data protection offerings from Thales. CipherTrust application data protection offers data protection from within applications with minimal assistance from developers. CipherTrust database protection offers transparent, column-level data protection for a wide range of databases. Finally, CipherTrust batch data transformation offers high-performance encryption, tokenisation and static data masking for databases and structured files.
CipherTrust data security platform
Data Protection Gateway is part of CipherTrust Data Security Platform, which unifies data discovery, classification, data protection and unprecedented granular access controls, all with centralised key management. This simplifies data security operations, accelerates time to compliance, secures cloud migrations and reduces risk across your business. You can rely on Thales's CipherTrust Data Security Platform to help you discover, protect, and control your organisation's sensitive data, wherever the data resides.
DPG enables the data security admin to define a security policy by selecting from an ever-growing list of encryption algorithms across the AES, DES and FPE families.
Creating a protection policy
Protecting sensitive data in REST
Selecting which fields to protect is fast and easy. Field selection and protection and/or access policy are configured centrally on CipherTrust Manager, delivering full separation of DevSecOps duties.
Configuring a REST field for protection
CipherTrust Data Protection Gateway
Operating transparently to all entities on the network, DPG interprets RESTful data and performs protection operations based on profiles defined centrally in CipherTrust Manager. DPG is deployed as a container and is fully compatible with Kubernetes orchestration systems. DPG can also be deployed as a standalone container for development and testing use cases as well as legacy production deployments.