GovTech solution
Finance
2020Quick migration to field level encryption of governmental data
Compliance requirements sometimes emerge unexpectedly with strict deadlines, and you wake up with your product having to protect sensitive data. [REDACTED] arrived in this situation not by oversight but by changing requirements from its governmental customers and financial institutions that re-qualified the type of data [REDACTED]’s systems store as highly sensitive.
[REDACTED] analyzed existing data security software on a market, and decided to use Cossack Labs’ Acra. Acra as a database security suite was called to provide immediate relief over sensitive data concerns using field level encryption, data masking and access control.
Industry
GovTech
Finance
Service platform
Technology stack
Java, PHP (~60 apps)
React, Angular
MySQL cluster
huge on-prem deployment
Regulations
Governmental regulations for working with sensitive government-owned data
SOX, CCPA, CPRA
PCI DSS
Challenges
Flexible data access policy. Different applications should have different access policies to the same instances / databases.
Scalable key management. In a constrained environment, managing millions of key and additional infrastructure components is a problem.
Tight timelines. Acra users had to deliver proof of security value within 12 weeks.
Zero code changes. [REDACTED] has over 60 applications that operate on sensitive data and must be protected without significant interventions in the application code.
Technology requirements
Integrate encryption without changing the application code
As [REDACTED] has over 60 applications (external APIs and internal apps), the data security changes should require minimal application code changes.
FIPS 140-2 compliant cryptography
The cryptographic module should be FIPS 140-2 compliant.
Large scale infrastructure
The customer operates a large MySQL deployment with many instances and different policies for each instance. Acra should provide fine-grained access control for existing applications.
ETL optimization
Ingest, transform and encrypt large amounts of data via ETL gateway.
Our approach
Security design to reflect exact use cases
We outlined the architecture that would ideally meet the Customer’s needs aligned with constraints. We designed and implemented configurations as security policies, designed a key lifecycle that minimizes key load and stores remaining keys in a simpler datastore.
Modeling and testing the environment
After the design phase, we built a test environment with implemented data security controls and configurations. Together with [REDACTED] engineers, we tested this environment with comparable load, data volume, and complexity. Based on test results, the network and security configurations were fine-tuned.
Building a migration pipeline
Having proven business value and designed the end solution, we built a migration flow to bring service disruption to a bare minimum.
Solution
We have designed a secure data flow solution based on Acra. We used several Acra modules based on business and technical constraints and ensured a smooth migration from the current deployment to a new one.
Key features:
- AcraServer (SQL proxy) is used in transparent proxy mode for MySQL databases. The applications were redirected from MySQL to AcraServer; no changes in application code were required. AcraServer encrypts/decrypts data transparently for the apps, parsing SQL queries to and from databases.
- AcraTranslator (API service) is used as a bulk encryption API for ETL to process large amounts of sensitive data and encrypt it “on a fly”.
Data access policy:
- Every application that requires access to the sensitive data is identified by its TLS certificate and IP address. Acra identifies the app and uses mutual TLS authentication before accepting the connection. Then Acra uses its access policy to define which data fields should be decrypted for this app.
- Applications that process different levels of protected data, use Zones. Zones define the “privilege” levels in the app. When the application is working under the admin user, it receives data in plaintext; when a non-privileged user uses the app, it receives masked data (“xxxxxxxx@acme.org”) from Acra.
FIPS 140-2:
- Acra depends on Themis cryptographic library. Themis modular structure allows switching cryptographic backends. For this project, Themis has received a custom certified crypto module used to perform core cryptographic operations in a compliant manner.
Products and services involved
Acra, a database security suite
Acra's modular structure allows smoothly build-in data security considering specific technical constraints. The combination of transparent SQL encryption via AcraServer and encryption API via AcraTranslator makes Acra fit for complicated distributed solutions.
Read moreAcra, a database security suite
Security engineering & architecture
We designed and implemented a new solution architecture that ensures all sensitive data fields go through encryption points.
Read moreSecurity engineering & architecture
Results and outcomes
Cossack Labs' solution allowed the Customer to integrate field level encryption and data masking quickly without risking to lose its governmental customers.
Acra’s flexibility (using AcraServer as SQL proxy, and AcraTranslator as encryption API service) allowed to blend into constrained architecture without the need to re-engineer and rewrite existing customer applications. The resulting solution was measured, optimised and acceptable from a performance perspective. The introduced delay was no more than 3..6% within most application requests.
The Customer has met financial and governmental requirements for protecting sensitive data, and timely delivered the solution, which opened more doors in the regulated domain.
Protect sensitive data without re-engineering using Acra
We help you focus on serving your customers better, while relieving your team from security engineering pains and making your users confident that their data is safe with you.
