TECHNOLOGY

Queryable Encryption Technology

Use and share data in its encrypted state

The Data In Use
Encryption White paper Download

Why Legacy Homomorphic Encryption Solutions Are No Longer Sufficient

Traditional data encryption solutions protect your data only when it is at rest or in motion – but they don’t protect your data when it is being used or queried. With legacy data solutions, every time data is accessed or queried, it becomes decrypted and thereby vulnerable to insider or outsider threats. As soon as data is being used it is decrypted, resulting in data that is left unsecured.

Sotero data in use encryption is a patented data security advance that lets you keep your sensitive data encrypted while it is in use, as well as in motion and at rest – regardless of location. Sotero KeepEncrypt technology renders data useless when a system breach occurs, preventing any loss of information.

Why your organization can benefit from data in use encryption

Encryption purpose-built to allow you to keep your data encrypted while it is being queried or accessed gives your organization several advantages.

1. Adhering to the AES-256 standard, all sensitive data is encrypted wherever it resides. This includes all data fields in all applications that adhere to the AES-256 standard as well as heterogeneous applications such as ODBC, RDBMS, and JDBC databases, and applications deployed on-premise or in a private cloud, public cloud, or hybrid cloud. Whether you have structured data, semi-structured data, or unstructured data, it stays encrypted at all times.

2. Your organization’s sensitive data is encrypted throughout the data lifecycle – this means data stays encrypted not only while it is in transit or at rest, but also while it is being accessed or queried. The ability to keep data encrypted no matter what means that when a system breach occurrs, the data is rendered useless to the attacker.
3. You and your team can stay in control of all data assets and applications from a centralized data security platform. RBAC (role-based access controls) let you decide which users can see what data at the granular (field level). Now your team can protect data from unauthorized access, with the click of a button. Enforce cloud data privacy by keeping data protected not only from database administrators, but also from your cloud providers.

4. Protect sensitive data stored in cloud-based SaaS applications or IaaS, by keeping it encrypted. Data security and access to sensitive data is controlled by you, and only you.

Why Organizations Are Turning to Solutions That Offer Queryable Encryption

Why limit your organization to traditional data security that is frought with vulnerabilities when you can check compliance boxes and keep sensitive elements protected at all times? With encryption throughout the data’s lifecycle you can: 

 

  • Share data securely and rapidly with internal collaborators, partners and downstream systems
  • Address production use cases more rapidly by encryption data throughout its lifecycle
  • Store data in the cloud while ensuring data privacy regulations
  • Own the encryption keys and stay in control of all your data anytime, anywhere
  • Query data without the need to decrypt it
  • Utilize powerful anomaly detection and machine learning techniques to protect your data from insider threats
  • Protect your data from known and zero-day ransomware attacks

How Sotero’s Data Security Platform Works

1. Request Data – When an authorized user or application creates a JDBC/ODBC connection for structured, semi-structured, or unstructured data, the request goes through the Sotero proxy.

2. Query Encrypted Data & Encrypted Results – The Sotero query engine uses patented technology to transform the request to run against encrypted data to receive the encrypted results. This ensures that data remains encrypted while in use by the database cache or OS swap/memory.

3. RBAC & Anomaly Detection – The Sotero proxy applies RBAC to decide whether or not to decrypt the sensitive data. It also applies its machine-learning (ML) based anomaly detection engine threat score to detect any suspicious or anomalous request/activity. This dual control allows Sotero to not only ensure data is requested by authorized users/applications but also flags or blocks malicious activity, including potential ransomware attacks.
4. Privileged Users See Plain Text – Once the Sotero Platform has ensured the data is being accessed by an authorized user or application, the Sotero crypto engine decrypts the data and sends it back to the requesting user/application. This allows privileged users like a database administrator to perform their database management operations without seeing sensitive data in plain text. The Sotero Platform requires No application code change, No dependency on OS version/patches and No changes to the end user experience – resulting in minimal operational burden. The solution also seamlessly integrates with:

– Existing directory services/IdP for RBAC controls

– Existing SIEM/UEBA solutions for centralized audit/logging and real time notification for anomalous behavior

– Existing key management solutions for FIPS 140-2 or 140-3 level 2 or level 3 requirements

Sotero Data In Use Encryption Workflow

1. Request Data – When an authorized user or application creates a JDBC/ODBC connection for structured or semi-structured data, the request goes through the Sotero proxy.

2. Query Encrypted Data & Encrypted Results – The Sotero query engine uses patented technology to transform the request to run against encrypted data to receive encrypted results. This ensures that data remains encrypted while in use by the database cache or OS swap/memory.

3. RBAC & Anomaly Detection – The Sotero proxy applies RBAC to decide whether or not to decrypt sensitive data. It also applies its machine-learning (ML) based anomaly detection engine threat score to detect a suspicious or anomalous request/activity. This dual control allows Sotero to not only ensure data is requested by authorized users/applications but also flags or blocks malicious activity.

4. Privileged Users See Plain Text – Once the Sotero Platform has ensured the data is being accessed by an authorized user or application, the Sotero crypto engine decrypts the data and sends it back to the requesting user/application. This allows privileged users like DBA to perform their database management operations without seeing sensitive data in plain text.
The Sotero Platform requires no application code change, no dependency on OS version/patches and no changes to the end user experience – resulting in minimal operational burden. The solution also seamlessly integrates with:
  • Existing directory services/IdP for RBAC controls
  • Existing SIEM/UEBA solutions for centralized audit/logging and real time notification for anomalous behavior
  • Existing key management solutions for FIPS 140-2 or 140-3 level 2 or level 3 requirements