Cyber-security vendor Baffle announced an update to its Advanced Data Protection Service on June 4 that makes it possible for users to search encrypted data.
The Baffle Advanced Data Protection service includes multiple components to help keep data private. Rather than having unencrypted data pass in and out of a database, Baffle’s technology encrypts data before it goes into a database. As such, the database tier of an application stack only works with encrypted data, with all the encryption keys held by the customer.
“What we have built is a solution where we can actually do operations on encrypted data without ever decrypting at any point and without changing the application itself,” Ameesh Divatia, co-founder and CEO of Baffle, told eWEEK. “We wanted to figure out a way that we can position data access and data as being two separate things.”
Divatia helped to start Baffle in 2015 and was among the finalists at the 2017 RSA Conference Innovation Sandbox. The company has raised $9.5 million in venture funding, including a $6 million Series A round announced on Jan. 17.
In the data encryption market, the terms “data in motion” and “data at rest” are often used to explain different use cases. Data in motion refers to data in transit across a network, while data at rest refers to data that is stored on disk. Divatia said that what Baffle is doing is encrypting data in use.
“In our case, because we protect databases, the data in the database servers’ memory is still encrypted,” he said.
How It Works
The way the Baffle system works is it is inserted between an application and the database, according to Divatia.
Harold Byun, vice president of products and marketing at Baffle, explained that the Baffle Shield component of the platform sits underneath the SQL interface layer and is invisible to the front-end application. Baffle then enables organizations to use their own encryption keys to apply AES encryption to the data as it is interoperating with the database tier. The cloud-based BaffleManager console provides organizations with a dashboard for managing data encryption and key management, as well as providing audit reporting and compliance capabilities.
“We turn the database tier into an AES encrypted brick with no key present,” Byun told eWEEK. “So if anybody gets in the database tier, whether it’s a cloud provider, a government subpoena or a database insider that wants to do a memory dump, we encrypt the data in memory in use as it’s being processed in the search index and at rest, without breaking the application functionality.”
Baffle supports both on-premises and cloud deployments and can be installed rapidly, Byun said. He added that the Baffle system adds almost no resource overhead to computation and does not come with a performance hit to running applications. By enabling users to be able to search through encrypted data, Byun said Baffle is making the platform more usable and removes a potential barrier to adoption. The Baffle technology is patented and is based on the cryptographic concept of secure multiparty computation.
“Effectively it’s the art of sharing data, without actually sharing the data,” Byun said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.