Data Privacy Manager (DPM)
Enterprise Encryption Management
Protect your sensitive data, across all your systems
Randtronics is a global leader in enterprise encryption management whose Transparent Data Encryption (TDE), Masking / Tokenization, Key Management and related data-privacy products are used by over 200 customers across 20 countries.
Randtronics is trusted by banks, government agencies and telecommunications service providers and many others to:
- Protect against data breach
- Enforce internal privacy controls
- Mitigate exposure to ransomware attacks
- Satisfy regulatory compliance obligations
Randtronics Data Privacy Manager (DPM) is a 100% software-only data security platform that manages encryption protections for structured and unstructured data on-premise and on-cloud.
DPM provides:
- Universal, centralized key management to FIPs 140-2/3 Level 3/4 and Common Criteria EAL 4+/5+
- Encryption, format preserved encryption, tokenization and masking
- No-code change Transparent Data Encryption (TDE) for Windows and Linux environments
- No-code change field-level protection (FLP) for MS-SQL Server and Oracle Database and flat files
- Low-code API protection for any field-level protection (FLP) for any application-database stored anywhere
- Data sovereignty assurance: total control of where data and keys are stored and used
- Shared file encryption to protect files shared across Dropbox, email, OneDrive, Google Drive, FTP
Randtronics DPM protects your sensitive data everywhere
Watch how straightfoward protecting data becomes using Randtronics DPM
Protect Databases
Implement transparent data encryption or field-level protection for any database application
Protect File Servers
Implement transparent data encryption on any file store on any physical or virtual Windows or Linux platform
Protect Keys
Centralize and simplify enterprise key management
Protect Data in Transit
Protect files being shared by any electronic medium or media to ensure materials can only be read by the intended recipient
Simplify and strengthen your enterprise encryption
protection, quickly, simply with no fuss
- Standardize encryption management across multiple DB vendor technologies
- Standardize encryption management for all Windows/Linux VM or Kubernetes container environments on-premise, or on-cloud
- Standardize key management for all encryption keys and digital certificates
- Role separation of data privacy protection management with air-gap separation from the IT Organization
Our Solutions
Maintain data privacy and confidentiality before, during and after ransomware attack for any type of data.
Easily maintain privacy by de-identifying data in files, app, web applications and databases.
Maintain data sovereignty whilst using public clouds and outsourced providers.
Try Randtronics DPM today
Book your own instant proof of concept, right now!
White Papers & Case Studies
Our Customers
Why Choose Randtronics?
- Encryption specialists
- Randtronics encryption products are in use with over 200 customers in more than 20 countries.
- Sole focus on tools to simplify the implementation of effective, policy-based protections for your sensitive data.
- Transparent encryption, masking, pseudonymization, tokenization or anonymization – supporting all your cryptographic-based protection needs as encryption- based technologies continue to evolve.
- Trusted by banks, health providers and top-secret agencies
- used by customers protecting regulated (HIPAA, PCI
DSS, international Data Privacy Laws) data. - used by agencies protecting top-secret information.
- Single platform to manage database and file encryption on all your digital environments
- protects structured and unstructured data.
- laptops, Kubernetes containers, multi-vendor
cloud and any Windows/Linux based server/ VM (web, app, database, file, CRM, ERP systems, etc). - Policy-driven and fully auditable.
- Single skillset for managing data privacy across all your
databases.
- Our platform enables you to simplify and strengthen data privacy compliance :
- Build and consistently implement policy-based privacy
management of data and keys. - Improve auditability – demonstrable role segregation
between data privacy, sensitive data and IT organization. - Implement the highest data sovereignty assurance levels – full control of location of keys and total control of data privacy.
- Automated encryption key management
- Plug and play key management integration.
- Policy-driven key lifecycle and location.
- Protect your data without slowing you down.
- No-code integration with multi-vendor HSM for key assurance to FIPS140-2/3 level 3/4, Common Criteria EAL 4+/5+.
- No code changes required for TDE and field level protection
- Transparent Database Encryption protection of any databases and file stores on Windows and Linux platforms.
- Point and click protection for Oracle and MS SQL field-
level data. - Low-code API integration for non Oracle/MS SQL Server
databases and applications.
- Performance optimized Technology
- Encryption, tokenization and format preserved encryption routines optimized for efficiency.
Latest news and articles
Wide-ranging attacks against Barracuda appliances linked to China
This week the news broke that Mandiant (an incident response firm) attributed the recent cyberattack campaign targeting customers utilizing Barracuda’s Email Security Gateway to hackers
Goodbye, Tina Turner
Sad news this week that the Queen of Rock ‘n’ Roll has exited the stage. Many of us at the Randtronics team grew up hearing
Don’t take an Uber to the Big House
In a groundbreaking development, the ex-security chief of Uber has been convicted for his failure to disclose a significant data breach that occurred at the
Frequently Asked Questions (FAQ)
Encryption is a method of protecting or concealing confidential data from preying eyes or unauthorised people.
Encryption is the process of encoding data, making it unintelligible and scrambled to prevent unauthorized access. Typically, encrypted data is also paired with an encryption key, and only those that possess the key will be able to open it. Encryption is the most effective way to achieve data security.
Unencrypted data is called plain text. Encrypted data is referred to as cipher text.
Encryption and field-level data privacy protection is now an essential requirement.
Cyber protection is an arms race and sophisticated attackers continue to demonstrate their ability to penetrate the defenses of technically sophisticated organizations.
Relying on good fortune is not an option and business leaders must assume that attackers will at some point penetrate their external perimeter and thus must ensure that sensitive data is not stored in readable format with the ability to read this information tightly controlled.
Encryption is becoming a legal necessity for all organizations with increasingly stiff penalties for organizations that fail to comply. Personal data protection legislation such as the EU’s GPDR are imposing new data protection obligations on top of industry specific requirements and best practices such HIPAA for health records and PCI-DSS for payment
The big questions today are no longer ‘should we use encryption’ but are instead ‘how’ to implement encryption and field-level data protection across all systems to tightly control who can see data in readable format, and how to manage this protection layer without impeding the organizations’ ability to operate.
Transparent Data Encryption (TDE) is a security technology used to protect sensitive data at rest by encrypting it on storage media, such as hard drives or databases. TDE works by automatically encrypting data as it is written to disk and automatically decrypting data as it is read from disk, without requiring any changes to the applications that access the data.
The encryption and decryption process is transparent to the user and applications, hence the name “transparent” data encryption. This means that data can be stored in an encrypted form, but still be accessible to authorized users without requiring them to enter any additional passwords or perform any manual decryption steps.
TDE typically uses strong encryption algorithms such as Advanced Encryption Standard (AES) to protect data, and the encryption keys are managed by the database management system or operating system to prevent unauthorized access. TDE provides an additional layer of security to protect sensitive data in case of data theft or loss of storage media.
Full Disk Encryption (FDE) is a security technology used to protect the data stored on a computer’s hard drive or other storage devices by encrypting the entire disk. When a disk is encrypted with FDE, all data stored on the disk, including the operating system, application files, and user data, is encrypted using a strong encryption algorithm.
FDE ensures that if an unauthorized person gains access to the computer or storage device, they will not be able to access the data without the encryption key. This provides an additional layer of security beyond the typical user authentication methods, such as passwords, which can be bypassed by someone with physical access to the device.
FDE can be implemented at the hardware level, such as through self-encrypting drives (SEDs), or at the software level, such as through operating system-level encryption software like BitLocker (Windows) or FileVault (macOS).
Volume Encryption is a security technology used to protect specific volumes or partitions on a storage device, rather than the entire disk as in Full Disk Encryption (FDE). When a volume is encrypted, all data stored on that volume is encrypted using a strong encryption algorithm.
Volume encryption allows users to encrypt only the data that is most sensitive, while leaving other data on the disk unencrypted. This can be useful in situations where the entire disk does not need to be encrypted, but specific volumes or partitions containing sensitive data need to be protected.
Volume encryption can be implemented at the hardware level, such as through self-encrypting drives (SEDs), or at the software level, such as through operating system-level encryption software like BitLocker (Windows) or FileVault (macOS).
Randtronics DPM easyCipher provides Transparent Data Encryption (TDE) protection of files and folders.
Files and folders protected can be entire databases or the contents of laptops, file servers, web servers or Network Attached Servers (NAS).
Randtronics DPM easyCipher is a two tier solution with a central management platform that defines and manages encryption policy and locally deployed agents that are responsible for encryption operations.
Randtronics TDE is implemented in a two-tier manager-agent architecture that provides three major advantages compared to using the TDE options provided by individual database vendors (native TDE):
- Protection for native TDE covers only the database. Randtronics TDE can extend protection to cover the entire contents of the database server plus any file server or laptop that holds reports or analytic materials based on database contents
- Native TDE is controlled by database administrators (DBAs).ᅠ ᅠRantronics TDE is centrally managed and monitored.
- Randtronics TDE offers the simplicity of a single, standardised method for encrypting any databases is deployed in a Windows, Linux or Kubernetes environment
Randtronics TDE offers fine-grained access control over what users and applications have access to any file or folder.
Full Disk Encryption (FDE) offers a simple open/locked protection for a hard disk.
FDE provides no protection between users or against hackers who typically access computers via network.ᅠ
Privileged users:ᅠ systems administrators (Sys Admins), database administrators (DBA’s) and application administrators by definition have the ability to perform far more activities than standard users.
Privileged User credentials are consequently highly prized by hackers wishing to circumvent security measures.
Many traditional data security measures focus on protecting a single platform and by necessity the administrator of that platform has the means of managing and hence circumventing security.ᅠ ᅠᅠ
Randtronics Data Privacy Manager is a policy-based data security platform that separates the management of data protection policies away from the control of Sys Admins, DBA’s and Application Administrators.
Enterprise Key Managers (EKMs) are data security platforms that securely manage encryption keys and digital certificates.
EKMs such as Randtronic’s DPM easyKey provide a centralized, standardized means of managing keys for multiple applications at scale.
Randtronics DPM easyKey is software-only key management solution that also has the capability to integrate and manage the key protection capabilities of hardware key stores.
Object-level data protection refers to encryption of whole files, folders, databases, file services and/or Network Attached Storage (NAS) devices.
Randtronics DPM easyCipher product provides object-level Transparent Data Encryption protection.ᅠ
Object-level protection has the advantage of being extremely simple to implement and rapid to deploy with minimal impact on users and processing times.
Field-level protection refers to the protection of content within flat files and databases.ᅠ Field-level protection methods include encryption, tokenization and data-masking.
Randtronics DPM easyData is a field-level data protection engine used to provide
i) Column level data protection to Oracle and MS SQL Server databases
ii) Field-level data protection for flat files, andᅠ
iii) Field-level data protections for data strings within applications
Increasingly public cloud platforms offer built-in encryption protection.
Users of Randtronics DPM storing data on public cloud platforms have the option to deepen the layers of protection with additional protections that are independent of the cloud platform provider.
Use cases include:
- Key Sovereignty – exerting control over the physical location and security of encryption keys
- Data-in-use – adding field-level protections such as tokenization, masking or anonymisation to allow data to be shared without compromising data security
Data at rest refers to data in storage.
Randtronics DPM enables organizations to store data in protected form and thus mitigate the risk of a cyber attack resulting in a data breach.
Data in use refers to data being held in memory and being operated upon by a application.
Randtronics DPM provides organizations to mitigate the risk of data-in-use data breach through the use of tokenization, data-masking and data-anoymization techniques.
Data in transit refers to data being transferred between systems.
Randtronics DPM offers organizations multiple methods of protecting data-in-transit
i) Field-level protections: Tokenization, Data Masking and Anoymization allowing data to be transmitted and shared without risk of breach
ii) DPM easy2Go, a utility for encrypting files for sharing via insecure mediums or media with external users.
Tokenization refers to the reversible substitution of protected data with a token.
Encryption refers to the reversible disguise of data using an encryption key.
Format preserving Tokenization and format-preserving encryption refers to restricting the choice of token characters or cipher text characters. This is typically done to maintain alpha-only, numeric or alpha-numeric formats and thus maintain compatibility with systems that use strong data-types.
The effectiveness of encryption systems in preventing data loss rests on three legs
a) Difficulty of breaking encryption – traditional encryption relies on the use of encryption keys that are mathematically hard to guess.ᅠ The growth in computing power has required keys to become longer.ᅠ ᅠ The introduction of quantum computers introduces the prospects of future computers being able to quickly break traditional keys and the need to replace keys with new generation of quantum-safe keys.ᅠ ᅠ A key advantage of enterprise key management systems such as DPM easyKey is the ability of organizations to centrally manage all encryption keys and digital certificates with the ability to easily upgrade keys with stronger variants over time
b) Difficulty of by-passing encryption – traditional encryption systems operate at the level of a single computer or database and are thus vulnerable to being bypassed by the privileged users responsibility for administering that platform.
c) Inability to find unprotected copies of sensitive dataᅠ – copies of sensitive data can exist in reports,ᅠ analytic systems, test data sets all of which need to be protected.ᅠ Hence a truly effective encryption systems needs to be able to sensitive protect data wherever it resides.
Database encryption is the process of converting plain text information into an unreadable code that can only be deciphered with a key or password.
This protects sensitive information from unauthorized access and theft of content.
The two main types of database encryption are
a) Transparent Data Encryption (TDE).ᅠ ᅠ After data is encrypted, data is transparently decrypted for authorized users or applications. TDE helps protect data stored on media (also called data at rest) in the event that the storage media or data file is stolen.
Depending on the implementation TDE be applied at the tablespace level (whole of database) or selectively at a Column level.
Many database vendors offer TDE solutions for selected version of their database products.ᅠ ᅠTypically the addition of TDE requires purchase of an additional licence.
Randtronics DPM easyCipher is a TDE product that sits outside of the database and can provide tablespace level TDE as well as protecting other files on the database folder such as report folders, analytics applications or other areas where potentially extracts of sensitive dataᅠ may exist.
Randtronics DPM easyCipher enables TDE protection for any database that runs in a Window/Linux or Kubernetes environment and thus can
b) Field-level Encryption
File-level encryption when integrated with an enterprise access control system (Randtronic DPM being an example) allows for multiple users to access IT systems whilst preserving the ability to grant or deny access to any user or application to a given file.
Full-Disk and Volume Encryption are basically either on or off – once unlocked, anyone can access anything.ᅠ ᅠᅠ
Full-Disk and Volume Encryption are often used to lock down data in the event that a device or hard-drive is physically stolen.ᅠ ᅠHowever, File-level encryption can also do this whilst a much deeper level of data protection
Starting with an illustration
Jane.Doe@gmail.com
In anonymized form might be
asfasdfas@dsdfdfsdf
Data that has been anonmyized is completely safe in the sense that that it is simply not possible to re-identity the individual by matching the scrambled data field with other records
Pseudonymized form might be:
asdfsfsf@gmail
Pseudonymized form still has some useful information – in this case gmail.com tells us that the person isn’t using a work account. However, for example if the email address was something less generic then given access to a another list of user names and email it might be possible to rematch the record back to Jane Doe.
Examples of pseudonymization include obscuring all but the last 4 digits of a bank account number — so a clerk can distinguish between a customers various accounts but still not know the full account details.
Historically, encryption protection an additional feature added to IT systems giving rise to a situation where an organization have may multiple, incompatible data protection ‘silos’, each of which requires specialist skills to administer and of course, changes in one do not automatically flow on.
By contrast a centralized policy-based management system for encryption, other forms of data protection and encryption keys provides a single point of administration.
The benefits of a centralized policy-based system include
- consistency – ensuring that changes are automatically applied everywhere
- role separation – data privacy can be administered independent of the IT organization. Privileged IT accounts are prime targets for hackers and a centralised policy-based data protection system enables an organization to isolate privileged IT accounts from access to sensitive data
Encryption keys come in four basic forms: symmetric, asymmetric, public and private.
Enterprise encryption systems typically use asymmetric, public and private keys as symmetric encryption systems have some significant limitations.
- Symmetric encryption: Symmetric-key cryptography uses a single encryption keyᅠ for both encryption and decryption of data.ᅠᅠ
- Asymmetric encryption:ᅠIn asymmetric keys, a pair of keys are used to encrypt and decrypt the data. Both keys are paired with each other and created at the same time. They are referred to as public and private keys
- Public keysᅠprimarily encrypt the data and are only used to encrypt the data, not to decrypt
- Private keysᅠare used to decrypt the data. This is the only key that can decrypt the encrypted data. Should be password-protected
Symmetric-key encryption has some advantages,ᅠ it doesn’t require a complex backend infrastructure and encrypt/decrypt algorithm is fast but there are some significant limitations and challenges, including:
Key distribution: In order to use symmetric key encryption, both the sender and receiver need to have the same secret key. The key needs to be securely distributed, which can be challenging in some cases. If the key is intercepted by a third party, it could compromise the security of the encryption.
Scalability: Symmetric key encryption is not scalable in large environments, where many users need to communicate with each other using encryption. This is because each pair of users needs to have a unique secret key, which becomes unmanageable as the number of users increases.
Key management: Symmetric key encryption requires the secure storage and management of the secret key. This can be difficult to achieve, especially when dealing with large amounts of data or multiple users.
Lack of authenticity: Symmetric key encryption does not provide authentication, meaning that the receiver cannot be certain that the message was sent by the intended sender. This can lead to security issues in some cases.
Key rotation: Symmetric key encryption requires frequent key rotation to maintain the security of the encryption. This can be challenging to manage, especially in large environments.
Quantum computers have the potential to break many of the cryptographic systems that are currently in use.
Traditional cryptographic keys rely on mathematical algorithms that are difficult to solve, but not impossible. For example, the RSA encryption algorithm relies on the difficulty of factoring large numbers into their prime factors. However, quantum computers can solve this problem much faster than classical computers, which makes RSA vulnerable to attacks from quantum computers.
To address this vulnerability, researchers are developing new cryptographic algorithms that are designed to be resistant to quantum attacks. These algorithms are often based on different mathematical problems that are believed to be hard even for quantum computers.ᅠ
There are now several groups around the worldᅠ who have developed Quantum safe encryption keys systems (also known as post-quantum encryption keys).
Some organizations are starting to implement quantum safe encryption key systems now on the basis that the arrival of practical quantum computers capable of cracking current encryption codes is foreseeable with the danger that encrypted data captured today will be able to be decoded at a point in the near future.
Organizations that wish to future-proof their data privacy protection systems therefore need a mechanism whereby they can manage the introduction of new key systems over time.ᅠ ᅠThe use of an enterprise key management systems such as Randtronic DPM easyKey provides the means to introduce new key systems as and when required and gracefully manage the introduction of such keys across all systems managed by the key manager.