Data In Use Encryption

Use and share data in its encrypted state

The Data In Use
Encryption White paper Download

Traditional data encryption solutions protect data only when it is at rest or in motion – but they don’t protect data when it is being used. This shortcoming has been a significant gap in legacy data encryption solutions. As soon as data is being used it is decrypted, triggering a substantial security vulnerability.

Sotero data in use encryption is a patented data security advance that keeps data encrypted while it is in use, as well as in motion and at rest – regardless of location. Sotero KeepEncrypt™ technology keeps data encrypted, even when a system breach occurs, the data stays encrypted, preventing any loss of sensitive information.

Data In Use Encryption Advantages

Data in use encryption delivers several advantages over traditional data encryption solutions:

1. All sensitive data is encrypted wherever it resides, including all data fields in all applications that adhere to the AES-256 standard. This includes heterogeneous applications, such as ODBC, RDBMS, and JDBC databases, and applications deployed on premise or in a private or public cloud. Whether data is structured, semi-structured, or unstructured, it is encrypted at times, anywhere it resides.

2. Data is encrypted throughout the entire data life cycle (at rest, in transit, and in use). Because data in use remains encrypted, even when a system breach occurs, data loss is prevented.
3. Access to unencrypted data is controlled. Role-based access controls allow you to control which users can see which data and at a granular (field) level. This protects data from unauthorized access, even from database administrators at your company or at your cloud provider.

4. Data stored in cloud-based SaaS applications or IaaS can now be encrypted, enabling you to store sensitive data in the cloud. Data security and access to the data is completely controlled by you.

Benefits of Data In Use Encryption

Enable a higher level of data security by securing sensitive data while in use.

  • Share data securely and rapidly with internal collaborators, partners and downstream systems.
  • Address production use cases more rapidly by encrypting data throughout the lifecycle.
  • Onboard new vendors, partners and customers rapidly and securely.
  • Store data in the cloud with confidence that it is secure at all times.

How Data In Use Encryption Works

The Sotero data security platform is an offering that enables organizations to protect sensitive data in three simple steps.

1. Identify sensitive elements in a datastore – Select sensitive fields and attributes from the dataset(s). Sotero then applies military-grade encryption (AES-256) to these sensitive elements.
2. Apply RBAC for authorized access – Create simple role-based access control that maps users/groups to sensitive attributes to which they have access.

3. Route data access requests to the Sotero proxy – Change database URL/hostname to Sotero proxy URL/hostname for any JDBC/ODBC/API connections for structured or semi-structured data and SMB/NFS mapping for unstructured data.

Sotero Data In Use Encryption Workflow

1. Request Data – When an authorized user or application creates a JDBC/ODBC connection for structured or semi-structured data, the request goes through the Sotero proxy.

2. Query Encrypted Data & Encrypted Results – The Sotero query engine uses patented technology to transform the request to run against encrypted data to receive encrypted results. This ensures that data remains encrypted while in use by the database cache or OS swap/memory.

3. RBAC & Anomaly Detection – The Sotero proxy applies RBAC to decide whether or not to decrypt sensitive data. It also applies its machine-learning (ML) based anomaly detection engine threat score to detect a suspicious or anomalous request/activity. This dual control allows Sotero to not only ensure data is requested by authorized users/applications but also flags or blocks malicious activity.

4. Privileged Users See Plain Text – Once the Sotero Platform has ensured the data is being accessed by an authorized user or application, the Sotero crypto engine decrypts the data and sends it back to the requesting user/application. This allows privileged users like DBA to perform their database management operations without seeing sensitive data in plain text.
The Sotero Platform requires NO application code change, NO dependency on OS version/patches and NO changes to the end user experience – resulting in minimal operational burden. The solution also seamlessly integrates with:
  • Existing directory services/IdP for RBAC controls.
  • Existing SIEM/UEBA solutions for centralized audit/logging and real time notification for anomalous behavior.
  • Existing key management solutions for FIPS 140-2 or 140-3 level 2 or level 3 requirements.