For many new and evolving applications, the DevOps team often is expected to protect data for web services-based applications while not having access to the application and database or data store. In addition, deployment architectures, including containers and cloud-scalability solutions such as Kubernetes and Helm, demand data protection solutions offering forward compatibility with cloud-first initiatives.
Thales’s CipherTrust Data Protection Gateway addresses these challenges by offering transparent data protection to any RESTful web service or microservice leveraging REST APIs. The Data Protection Gateway is deployed in front of the web service within the pod and operates transparently to all clients on the network. The Data Protection Gateway intercepts RESTful API calls and performs data protection operations based on policies defined centrally in Thales’s CipherTrust Manager. The solution operates seamlessly with other components such as ingress services used to terminate SSL.
By moving the complexity of data protection into CipherTrust Manager, the Data Protection Gateway offers a true separation of duties in a DevSecOps world:
- DevOps orchestrates deployment of the Data Protection Gateway
- Sec creates protection and access policies
- Together, DevSecOps configures each deployment of the Data Protection Gateway
The Data Protection Gateway also offers granular access controls to the data through policies defined in the CipherTrust Manager offering dynamic data masking features. And access policies allow you to define “per user” how the data will be revealed:
- Error Replacement Value (return nothing or predefined value)
- Masked (first 4, last 4, custom, etc)
CipherTrust Data Protection Gateway Architectural Overview Diagram
Discover, protect, and control your sensitive data
Thales’s Data Protection Gateway is part of the CipherTrust Data Security Platform, which combines data discovery, classification, and protection with unprecedented granular access controls and centralized key management. This simplifies data security operations, accelerates time to compliance, secures cloud migrations, and reduces risk across your business. You can rely on the Thales CipherTrust Data Security Platform to help you discover, protect, and control your organization's sensitive data, wherever it resides.
Cloud-ready and cloud-scale
The Data Protection Gateway is deployed as a container and is fully compatible with Kubernetes orchestration systems, such as Helm, Ansible, Terraform, and Kubernetes horizontal scaling. It can also be deployed as a standalone container for development and testing as well as legacy production deployments.
Thales application-layer protection
The Data Protection Gateway is one of several application-layer data protection offerings from Thales. CipherTrust Application Data Protection offers data protection from within applications with assistance from developers. CipherTrust Database Protection offers transparent, column-level data protection for a wide range of databases. Finally, CipherTrust Batch Data Transformation offers high-performance Static Data Masking for databases and structured files.
Protecting sensitive data in REST
Selecting which fields to protect is fast and easy. Perhaps more important is the field selection and protection policy are configured centrally on CipherTrust Manager, which delivers full separation of duties for higher security.
Configuring a REST field for protection
REST field data may be protected using an ever-growing list of encryption and tokenization algorithms across the AES, DES, and FPE families.
Creating a Protection Policy
CipherTrust Data Protection Gateway
Data Protection Gateway is deployed inline between the client and web service and operates transparently to all entities on the network. The Gateway interprets RESTful data and performs protection operations based on profiles defined centrally in the Thales CipherTrust Manager and operates seamlessly with other components such as ingress services used to terminate SSL. Data Protection Gateway is deployed as a container and is fully compatible with Kubernetes orchestration systems such as Helm, Ansible and Terraform, and, of course, Kubernetes horizontal scaling. It can also be deployed as a standalone container for development and testing use cases as well as legacy production deployments.