Thales background banner

DevSecOps-friendly Data Protection

Can data protection harmonize DevOps and Security?

Saving software developers the time and trouble of being both cryptography experts and managers of encryption keys is actually possible! But why integrate data protection into applications? Because protecting data in an app, immediately upon creation or first receipt, can deliver the highest level of data security. Now that we’ve handled why, let’s think about how to enable developers to protect data passing through their apps. First, there are a lot of programming languages and operating environments (OS’s, middleware), so, a solution has to match the most possible languages with the simplest possible APIs and be supported with any many possible operating environments, too. Second, the solution must be flexible enough to encrypt nearly any type of data passing through an application. Third, the solution has to be both cloud- and on-premises-friendly, with support for emerging cloud-native architectures. Fourth, the solution must be compatible with existing environments!

Architecture

Data ProtectionCipherTrust Application Data Protection delivers on the promise of DevSecOps. Developers enjoy language bindings appropriate to their projects. Operations can leverage choices among Crypto Service Providers that run on a wide range of operating systems. The product includes many operational features that enhance performance and availability to ensure that security imposes a minimal to zero impact on business operations. And for the security team, it operates with CipherTrust Manager, providing an architecture that centralizes encryption keys for applications. Enhanced separation of duties is provided with granular controls on both key users and key operational use.

  • Benefits
  • Features
  • Specifications

CipherTrust Application Data Protection

  • Supports the rapidly evolving needs of DevOps and DevSecOps, targeting the desired combination of rapid software evolution with security
  • Brings together the entire environment to support developers, operations and security with secure encryption key creation and storage
  • Accelerates adding data protection to mission critical applications, saving software engineers the time and effort to master cryptography and find quality encryption keys as well as a safe store for them. 
  • Protects keys from cloud administrators: take your applications to the cloud with utmost security
  • Delivers a separation of duties, a core tenet of security, with security administrators in control of keys in the single pane of glass provided by CipherTrust Manager

Full Suite of Crypto Functions

cloud access management

With comprehensive Crypto Service Providers (CSP) reflecting both industry standard PKCS#11 and KMIP as well as support for Java Crypto Engine, (JCE) Microsoft Crypto Service Provider (CSP) and Crypto Next Generation (CNG), developers and security administrators can select the crypto services, similar to HSM services, that best fulfill the complex needs of the modern organization. Core crypto functions include encryption/decryption, sign, hash (SHA) and HMAC. For convenient data protection avoiding the need for in-application key management, consider CipherTrust Tokenization.

Wealth of Encryption Algorithms

Encryption algorithms and corresponding keys include 3DES, AES 256 (CBC and XTS), SHA 256, SHA 384, SHA 512, RSA 1024, RSA 2048, RSA 3072, RSA 4096, and ECC as well as format preserving FF1 and FF3.

Automated Key Rotation

Built-in, automated key rotation for all crypto functions except for hash.

Many Deployment Choices

  • Applications linked with the development libraries are installed on each application server
    • Local crypto operations offer the lowest latency and potentially highest performance. Keys are encrypted when not in use and obfuscated in memory when in use
    • Crypto operations may be directed to CipherTrust Manager clusters. This choice keeps keys in the key source for the highest key security.
  • A lightweight deployment option is to install the encryption and key management libraries on a web server and access them from an application server using SOAP or REST APIs
  • The lightest deployment option is to access crypto functions using a RESTful API fulfilled directly by CipherTrust Manager clusters

Rich Ecosystem of Solutions

Key management and/or encryption services is available for a formidable ecosystem of solutions including Linux Unified Key Setup (LUKS) and key management for Transparent Data Encryption (TDE) vendors including Oracle, Microsoft SQL Server, and HashiCorp Vault, among many others.

Development Libraries and APIs

  • Java, C/C++, .NET
  • XML open interface, KMIP standard
  • Web services: SOAP and REST

Encryption Algorithms

  • Including 3DES, AES-256, SHA-256, SHA-384, SHA-512, RSA-1024, RSA-2048, RSA-3072, RSA-4096

Web Application Servers

  • Apache Tomcat, IBM WebSphere, JBoss, Microsoft IIS, Oracle WebLogic, SAP NetWeaver, Sun ONE, and more

Cloud and Virtual Infrastructures

  • Works with all major cloud platforms, including AWS, Azure, IBM Cloud, Google and VMware

Supported Platforms for ICAPI Provider

  • Red Hat Enterprise Linux 5.4 and above
  • Microsoft Windows 2003, 2008 R2, and 7 in both 32-bit and 64-bit

Related Resources

CipherTrust Application Data Protection –  Product Brief

CipherTrust Application Data Protection – Product Brief

DevSecOps-friendly APIs, with lightweight data protection application integration available with RESTful APIs. Centralized key management gives security professionals the control they need. Learn more in this product brief.

CipherTrust Data Security Platform - Data Sheet

CipherTrust Data Security Platform - Data Sheet

As security breaches continue to happen with alarming regularity and data protection compliance mandates get more stringent, your organization needs to extend data protection across more environments, systems, applications, processes and users. With the CipherTrust Data...