IBM Cloud Docs
Data Encryption Services

Data Encryption Services

Data Security Broker offers Data Encryption services which enables the provisioning of Data Security Broker Manager and Data Security Broker Shield. It also helps in configuring encryption or decryption rules against the IBM Cloud Databases such as PostgreSQL to encrypt and decrypt the database records or columns on the fly. It also helps in migrating the existing database records, apply record or column level encryption rules.

Data Security Broker supports two types of Data Encryption services. They are:

  1. Data Encryption
  2. Data Masking

Deployment Plans in IBM Cloud Data Security Broker

When you assign and customize default Data Protection Policies with Data Security Broker Manager, there are three options that you can choose to implement your data encryption policy:

Save Policy

Save Policy option is selected by default. This option saves your selected data, but does not execute encryption or data protection on your database. Your policy remains saved with the application until a new policy is saved to overwrite it. You can use the saved policy to deploy or migrate it later.

Deploy Policy

Deploy Policy option saves your policy and deploys your configured Data Security Broker Shield as a proxy for the configured database. You can connect to your Data Security Broker Shield endpoint, as if it was your database endpoint, to access your database. Any data that passes through your Data Security Broker Shield proxy is encrypted in the database, if that data is defined in your policy.

Deploy Policy and Migrate Data

Deploy Policy & Migrate Data option saves your policy, deploys it, and migrates your existing selected tables and columns through the specified Data Security Broker Shield to encrypt the data. Data Security Broker Shield acts as a proxy for the configured database, and the data is encrypted as well.

This option is disabled for applications, which does not have a Data Security Broker Shield associated with it.

Encryption Models supported by Data Security Broker

Data Security Broker supports data encryption services that can be configured in four main modes.

Data Encryption

Data Security Broker functions as an application-level encryption (ALE) software in this mode for encrypting data on a field-level basis. This is performed using Data Security Broker Manager to enumerate the data schema and enable an encryption key mapping.

Data Tokenization

Data Security Broker supports length preserving and data type preserving tokenization method to anonymize data at the field level databases or in semi-structured data files.

Record Level Encryption

Data Security Broker can be configured for record level encryption to support multiple keys within a single column that are mapped to respective data owners or entities. This encryption mode can be used effectively in multi-tenant or shared data environments where segmenting of the data can be challenging. In this mode, data shredding can be enabled by deleting public keys and private keys for a respective entity.

Data Masking:

Data Security Broker can enable simplified data masking to prevent decryption of data and sensitive file information based on configuration or deleted keys. This mode can minimize data exposure in public cloud environment and provides a better control of data exfiltration to external parties.

Procedure

After you have completed setting up and configuring the Data Security Broker Manager, you can perform standard encryption or data masking by defining a Data Protection policy. Ensure that you complete the steps below before you can use the data encryption services offered by Data Security Broker.

  1. You must add a Keystore, so that the Data Security Broker Manager can access and create data encryption keys (DEKs) that is used to protect your data. For more information, see Adding a Keystore in Data Security Broker Manager.

  2. Connect to a database in the Data Security Broker Manager. For more information, see Connect to a Datastore in Data Security Broker Manager.

  3. Enroll an Application in Data Security Broker Manager. For more information, see Enrolling an application in Data Security Broker Manager.

  4. Assign and customize a Default Data Protection Policy. For more information, see Create, assign, and Customize Data Protection Policy in Data Security Broker Manager.

  5. Encrypt and Decrypt Data. For more information, see Encrypting the data with Data Security Broker on an IBM Cloud PostgreSQL Database.