Sotero In-Use Encryption Enables Organizations
To Use Data Securely In Its Encrypted State
Encryption has been our most effective way to reduce the prospect’s likelihood of incurring a security breach. Though encryption has helped, the weakness associated with traditional encryption is that it protects data only when data is at rest (disk encryption), or when data is in transit via secure communication methods such as SSL and TLS. These shortfalls leave companies with significant vulnerabilities when the data is in use by on-premise or cloud applications.
In addition, as companies rely more heavily on cloud environments, they face even greater risks. By giving control of the data to cloud providers, organizations face significant vulnerabilities because the cloud providers may not encrypt data securely. Even when they do secure the data, the cloud providers often have access to the data and the encryption keys.
The Sotero Data Security Platform takes a new approach to protecting data called “In-Use Encryption.” In-Use encryption is the next generation of encryption technology that ensures that sensitive data is never left unsecured, regardless of lifecycle stage (at rest, in transit, or in use) or location (on premise, cloud, or hybrid). These capabilities set in motion a new world for using, sharing, and monetizing data, securely and with confidence.
This paper outlines the shortfalls that persist with traditional encryption, which continues to leave data vulnerable to breaches, and then discusses how the Sotero Platform eliminates those vulnerabilities, to help companies securely achieve faster time-to-value from their data.
Although encryption offers a range of benefits, traditional encryption technologies continue to suffer from four major areas of vulnerability that are underlying factors in data breaches:
Encryption doesn’t protect data while it is being used.
Companies that encrypt their sensitive data often conclude that their data is completely protected, but that is incorrect. Traditional encryption consists only of:
• Disk encryption, which protects data only when it is at rest on the disk, and
• Encrypted communication links, such as those powered by SSL and TSL encryption, which encrypt data only when it is in transit from one system to another.
While valuable, these do not cover one of the major vulnerabilities that companies face today: an attacker obtaining unauthorized, direct access to the database. An attacker can gain access via several methods, including phishing attacks, misconfigured databases, or custom software programs that impersonate valid applications requesting data. Once a system is breached, the attacker can write queries to access and/or steal all the underlying data. The database operating system will fetch the data from the disk, unencrypt the data and send query results back to the attacker in plain text.
Disk encryption also does not prevent unauthorized access from those who are charged with administering the database, whether they are employees or thirdparty consultants. For example, encrypted data on the disk does not prevent a database administrator from querying the database to access unencrypted data and, thereby, reviewing or stealing data they do not need to access.
Cloud infrastructure and applications often put data at risk.
As organizations shift more of their sensitive data to the cloud, they introduce more potential cracks in their security program. Specifically, SaaS applications and IaaS that reside in a public cloud introduce the following vulnerabilities:
• Cloud providers require customers to provide their own cybersecurity and do not enforce it. This leaves cloud applications vulnerable, unless the provider has a highly sophisticated security management program.
• Data in the cloud is accessible to the database administrators of the cloud applications or infrastructure via direct access to the database.
• If data in the cloud is encrypted by the cloud or application provider, the cloud or application provider still holds the encryption keys and can access the data in the database.
Endpoints such as mobile applications, point-of-sale systems, and IoT devices may not be secure.
Attacks often start at endpoints, such as workstations or printers, which are often left unsecured, and then proceed to back-end servers that hold sensitive data. Lack of control at endpoints enables attackers to access sensitive data, even if it is encrypted. A recent survey of security professionals indicated that employee-owned mobile phones and laptops and IoT devices/sensors are susceptible to attack and are the least likely to be covered by security management programs. In that same survey, 28% of survey respondents confirmed that attackers had accessed endpoints.
Anomaly detection systems come with limitations.
Existing anomaly detection systems have two limitations. First, they are usually deployed at the firewall or network level, rather than at the data access level. This prevents them from detecting data requests that are benign at the access level, but still malicious at the data level. Second, log file and user behavior analysis tools, such as Splunk, do not operate in real-time. They can help organizations discover hacking/intrusion and unauthorized access as part of a forensic investigation, but they do not enable a company to interrupt and prevent unauthorized access in real-time.
The Sotero Data Security Platform takes an innovative, holistic approach to data protection by securing the data itself, not just the application, database, or network in which it resides. This Sotero Platform delivers the following unique advantages over traditional security approaches that have been embraced by organizations across industries, such as: financial services, banking, pharma, healthcare and others.
The Sotero data security platform consists of three components:
Sotero KeepEncrypt™ ensures that sensitive data is encrypted, even when it is being used by applications. It provides decrypted data for authorized queries from your application users. KeepEncrypt™ uses three levels of encryption: deterministic, random and format-preserving.
Each Sotero customer has a dedicated KeepEncrypt™ component, which the customer configures with a graphical setup tool to establish data access permissions. Users can select tables and columns containing data that needs to be encrypted, establish user roles and access controls, and configure communications between KeepEncrypt™ and applications and databases.
After the initial setup, when an application queries the database the query is routed to Sotero KeepEncrypt™. It does so using a driver that connects the application to KeepEncrypt™’s REST API or application connector.
KeepEncrypt™ processes the query. For data requests, it fetches encrypted data from the database. KeepEncrypt™ then evaluates the user’s access rights and sends unencrypted results back to privileged users. Users without the proper privileges would receive encrypted data in response to a query. Queries from unauthorized users will not be completed. For data inserts/updates, it validates the user credentials and, if they are valid, KeepEncrypt™ encrypts the new data, sends it to the database, and logs the data changes. Data flows between Sotero KeepEncrypt™ and the applications/databases in messages secured by SSL encryption.
REST APIs give programmatic access to the components in the KeepEncrypt™ component, allowing application developers to embed Sotero into applications that work with sensitive data and to configure the Sotero platform with programmatic calls instead of using the platform’s graphical setup tool.
The Sotero Vault is a highly secure key management service that uses TLS access control and multiple layers of AES-256 keys to encrypt the data. The Vault holds the data encryption keys (DEKs) used to encrypt the data as well as a master key (or key encryption key, KEK), which is used to encrypt the DEKs themselves. The DEKs are symmetric keys, meaning the same key is used to encrypt and decrypt the data.
If Sotero is deployed on your premises, you will receive a Key Generator utility that enables you to create the keys and store them in your private Sotero Vault. In this scenario, Sotero will never see or access your keys.
If you are using Sotero in the Sotero cloud, you will receive a dedicated namespace within the common Vault, which acts as a vault within a vault.
Sotero will then run the Key Generator utility on your behalf. DEKs are typically created so that there is one for an entire organization. However, if an extra layer of security is required, separate DEKs can be generated for each field. To further protect the encryption key, you have the ability to change the DEK, which will require re-encrypting all sensitive data with the new DEK, or to rotate, or change, the DEK.
Sotero ML Engine
The Sotero ML Engine component detects and protects your data from unauthorized use and prevents attacks in real-time. The ML Engine evaluates each incoming query against historical patterns of use and can immediately stop a suspicious query before the data is released to the user. The ML Engine can stop an attacker who gains access to the system or an authorized user of the system who behaves in a suspicious manner.
Where the Sotero Platform Resides
The Sotero Data Security Platform can be deployed on your premises, in a private cloud or in the Sotero cloud, which is a multi-tenant cloud environment. Regardless of its location, the platform logically sits between your applications and your data store, encrypting data in your data stores, validating requests for accessing data, and decrypting data for authorized requests.
Sotero’s multi-layered approach to data security empowers organizations to safely use, share, and monetize data. The Sotero approach to data security provides the following advantages compared to traditional security approaches:
Encrypt Data In Use
Sotero closes a major security gap where attackers gain direct access to a data store and steal your data. Sensitive data accessed in this way would now be encrypted. Sotero covers data through the entire lifecycle – at rest, in transit, and while it is being used or queried.
Sotero can be deployed on premises, in the cloud, in a VPC, or in a fully SaaS platform.
Encrypted and controlled cloud data
Data stored in cloud-based SaaS applications or IaaS can be encrypted. Access to the data is controlled by you. With Sotero, you can confidently put sensitive data in the cloud.
Restricted data access for DBAs
User privileges can prevent internal and external DBAs, including cloud administrators, from viewing unencrypted data. DBAs directly accessing the data store will see encrypted data.
Secure business collaboration
Data shared with business partners, collaborators, third-party vendors and other enterprises can be encrypted and access rights limited to people with whom you want to share data.
Simplified and scalable security management
Data in all your on-premise and cloud applications and data stores can be secured by Sotero. This gives you a single protection method and a centralized management platform, eliminating the need to deploy multiple native security products, thereby reducing overhead, and allowing you to scale your security management program.
Instant detection and reaction to threats
Even with encryption and controlled access, threats can come from internal actors or from attackers that gain access to system passwords. Sotero analyzes user behavior and responds in real-time to stop suspicious behavior.
Improved data governance
Sotero logs every query, allowing you to understand and better control your data usage.
Adherence to data privacy and security regulations
The encryption and user access controls from Sotero help you to protect sensitive information, including PII, in accordance with regulations such as GDPR, HIPAA, CCPA, and PCI-DSS.
Reduced security product costs
Sotero provides universal protection for all your data stores, eliminating the need to purchase encryption licenses for specific databases.
The advantages of the Sotero platform are within reach of any organization that needs to secure sensitive information. The platform has the following characteristics that allow it to integrate seamlessly with existing infrastructures and business processes:
Sotero is deployed by installing the KeepEncrypt™, Vault, and ML Engine components either on-premise, in a private cloud, or in the Sotero cloud. Then, using a graphical setup tool, Sotero KeepEncrypt™ is configured, including the communication links to applications/databases, encryption, and user/ role privileges. Unlike other security products, there is no need to change the applications and no need to install additional agents on the network. When configuring the encryption, the setup tool will allow you to graphically select which tables and columns you would like to encrypt, select the encryption type (e.g., DET), and encrypt the data via a bulk encryption process. At the end of the encryption process, the sensitive data in the original database will be replaced with encrypted data. Deployment time depends on how much data is encrypted, but for most organizations the Sotero Data Security Platform can be deployed in just a few hours.
Sotero is deployed and operated without disrupting your business. Applications are not changed in the deployment process so users do not need to change how they interact with those applications.
Routing queries and data through Sotero KeepEncrypt™ adds a lag of 1-2% on overall round trips, but desired performance levels can be reached by simply adding extra Sotero processing nodes.
As your data scales, Sotero scales as well and does not require additional maintenance. For example, when sensitive data is added or updated through an application interface (e.g. a sales person enters new prospect information into the CRM), Sotero automatically encrypts and stores the data without intervention from the administrator.
Reliable and resilient
Sotero can be deployed in high resiliency configurations with failover and redundant systems to eliminate single points of failure for mission-critical operations.
Sotero benefits any company that collects, uses, and shares sensitive data, including PHI and PII data. By securing sensitive data, Sotero enables the business to operate with confidence, reduces the strain on the company’s security team, and reduces the financial and brand risk of data breaches. This includes organizations such as:
• Companies that house data in the cloud for broader use and analysis. Examples: online retailers, online banks, and online stock trading platforms.
• Service providers/software providers that want to better secure their data, as well as use that superior security as a selling point for customers. Examples: SaaS providers, cloud infrastructure providers, and outsourced HR service providers.
• Companies that need to comply with international data regulations while keeping data storage more streamlined. Examples: multinational financial services companies and online retailers with international customers.
• Companies that share data or collaborate with suppliers and other business partners. Examples: contract research organizations in the pharmaceutical industry and manufacturers with international suppliers
Data Collaboration in Healthcare Research
As part of testing a new drug, a pharmaceutical company collects patient data, including disease marker and PII data, from hospitals and sends the data to a contract research company for analysis. Sotero encrypts the sensitive data as it leaves the hospital or the research company. The research company completes the analysis without providing unnecessary access to sensitive data.
Compliance in Financial Services
A financial services company located in Europe wants to move EU customer data to the U.S. for processing by a third party. To maintain compliance with the GDPR regulation, the data has to be encrypted. Sotero enables them to transport the data to the U.S. in encrypted form and perform queries in the database in the U.S. without violating GDPR. Sotero only allows people in the EU with appropriate privileges to view the unencrypted data.
Differentiating Feature for Software Platforms
A health benefits provider wants to use the services of a cloud-based healthcare analytics provider, but isn’t comfortable sending claims data from their premises to the cloud for analysis. Sotero provides the healthcare analytics provider a secure data solution that assures the customer that its data will be protected. The benefits provider securely moves data from its on-premise system to the cloud so it can be analyzed. The healthcare analytics provider wins a new customer.
By providing greater encryption capabilities, granular user/role access controls, and real-time anomaly detection, the Sotero Data Security Platform is changing how security and product teams view their data. The platform’s unique focus on increasing security of the data itself, including capabilities to protect data in use and data in cloud environments, is enabling businesses to operate securely and with much lower risk should a breach occur. Sotero is giving its customers the confidence to use their data to the fullest extent, earn the trust of customers, and differentiate themselves from their competitors.
This White paper takes a deep dive under the hood of the Sotero Data Security Platform. Learn how Sotero’s next-generation data encryption technology keeps data encrypted while the data is in use, in motion, and at rest, regardless of location.
Sotero is the global innovator and leader in next-generation data security. Sotero’s data security platform enables our customers with a way to protect data anytime, anywhere, regardless of data store, integration mechanisms, and user tools. The platform is able to control, access, operate, and use data to extract information that drives organizations’ business outcomes and innovation.
Sotero provides organizations with a scalable and flexible data security fabric that migrates and moves data securely in all its instances in an interconnected world. Organizations gain complete control over their data privacy, compliance, audibility, and governance for use cases ranging from securing data at the edge, IoT devices and streaming data, and anomaly detection.