Search
Close this search box.
Randtronics Logo

Data Privacy Manager (DPM)

Enterprise Encryption, Masking & Key Management

Protect Your Data Before It's Too Late with Enterprise-Grade Encryption and Masking

Randtronics is a global leader in enterprise encryption management whose Transparent Data Encryption (TDE), Masking / Tokenization, Key Management and related data-privacy products are used by over 200 customers across 20 countries.   

Randtronics is trusted by banks, government agencies and telecommunications service providers and many others to:

Diagram illustrating breadth of DPM data privacy protection
DPM provides full range of privacy protection for data in storage, use and transit
DPM Product Suite Logo
Play Video about DPM Product Suite Logo

Randtronics Data Privacy Manager (DPM) is a 100% software-only data security platform that manages encryption and masking protections for structured and unstructured data on-premise and on-cloud. 

DPM provides:

  • Universal, centralized key management to FIPs 140-3 Level 3/4 and Common Criteria EAL 4+/5+
  • Encryption, format preserved encryption, tokenization and masking
  • No-code change Transparent Data Encryption (TDE) for Windows and Linux environments
  • No-code change field-level protection (FLP) for MS-SQL Server, Postgres, Maria, MySQL, Oracle databases and flat files
  • Low-code API protection for any field-level protection (FLP) for any application-database stored anywhere
  • Data sovereignty assurance: total control of where data and keys are stored and used
  • Shared file encryption to protect files shared across Dropbox, email, OneDrive, Google Drive, FTP

Randtronics DPM protects your sensitive data everywhere

Watch how straightfoward protecting data becomes using Randtronics DPM

Protect Databases

Encrypted file server icon

Implement transparent data encryption and field-level masking for any database application

Encrypted folder icon

Protect File Servers

Implement transparent data encryption on any file store on any physical or virtual Windows or Linux platform

Encryption key icon

Protect Keys

Centralize and simplify enterprise key management

Database icon

Protect Data in Transit

Protect files being shared by any electronic medium or media to ensure materials can only be read by the intended recipient

Simplify and strengthen your enterprise encryption & masking
protection, quickly, simply with no fuss

  • Standardize encryption & masking management across multiple DB vendor technologies 
  • Standardize encryption management for all Windows/Linux VM or Kubernetes container environments on-premise, or on-cloud
  • Standardize key management for all encryption keys and digital certificates
  • Use multi-vendor HSMs from USA, France, Germany, Switzerland or BYO crypto tool kit
  • Ensure compliance and data sovereignty with a solution tailored to your region
  • Role separation of data privacy protection management with air-gap separation from the IT Organization

Our Solutions

Encrypt and mask any database in storage, use and when shared on-prem or on-cloud. 

Maintain data privacy and confidentiality before, during and after ransomware attack for any type of data.

Encrypt any type of sensitive data stored within files at rest or when shared from any location.

Easily maintain privacy by de-identifying data in files, app, web applications and databases.

 

Encrypt your data in containers within public clouds and on-prem.

Maintain data sovereignty whilst using public clouds and outsourced providers.

Our Products

Diagram of Randtronics DPM Product Suite illustrating solutions available for protection all major enterprise data stores
Randtronics DPM a complete solution for your enterprise data privacy protection needs

Our Customers

Why Choose Randtronics?

  • Randtronics encryption products are in use with over 200 customers in more than 20 countries.
  • Sole focus on tools to simplify the implementation of effective, policy-based protections for your sensitive data.
  • Transparent encryption, masking, pseudonymization, tokenization or anonymization – supporting all your cryptographic-based protection needs as encryption- based technologies continue to evolve.
  • used by customers protecting regulated data (HIPAA, PCI DSS, GDPR, PII  Laws globally).
  • used by agencies protecting top-secret information.
  • protects structured and unstructured data.
  • laptops, Kubernetes containers, multi-vendor
    cloud and any Windows/Linux based server/ VM (web, app, database, file, CRM, ERP systems, etc).
  • Policy-driven for key/data and fully auditable.
  • Single skillset for managing data privacy across all your
    databases/servers/apps/laptops.
  • Build and consistently implement policy-based privacy
    management of data and keys.
  • Improve auditability – demonstrable role segregation
    between data privacy, sensitive data and IT organization.
  • Implement the highest data sovereignty assurance levels – full control of location of keys and total control of data privacy.
  • Plug and play key management integration.
  • Policy-driven key lifecycle and location.
  • Protect your data without slowing you down.
  • No-code integration with multi-vendor HSMs for key assurance to FIPS140-3 level 3/4, Common Criteria EAL 4+/5+.
  • Transparent Database Encryption protection of any databases and file stores on Windows and Linux platforms.
  • Point and click protection for Oracle, MySQL, Maria, Postgres and MS SQL field- level data.
  • Low-code API integration for any application and database on-prem or clouds such as Microsoft Azure, AWS, Google GCP.
  • Encryption, masking, tokenization and format preserved encryption routines optimized for efficiency.

Latest news and articles

Frequently Asked Questions (FAQ)

Encryption is a method of protecting or concealing confidential data from preying eyes or unauthorised people.

Encryption is the process of encoding data, making it unintelligible and scrambled to prevent unauthorized access. Typically, encrypted data is also paired with an encryption key, and only those that possess the key will be able to open it. Encryption is the most effective way to achieve data security.

 Unencrypted data is called plain text. Encrypted data is referred to as cipher text.

 

Encryption and field-level data privacy protection is now an essential requirement. 

Cyber protection is an arms race and sophisticated attackers continue to demonstrate their ability to penetrate the defenses of technically sophisticated organizations.

Relying on good fortune is not an option and business leaders must assume that attackers will at some point penetrate their external perimeter and thus must ensure that sensitive data is not stored in readable format with the ability to read this information tightly controlled. 

Encryption is becoming a legal necessity for all organizations with increasingly stiff penalties for organizations that fail to comply. Personal data protection legislation such as the EU’s GPDR are  imposing new data protection obligations on top of industry specific requirements and best practices such HIPAA for health records and PCI-DSS for payment  

The big questions today are no longer ‘should we use encryption’ but are instead  ‘how’ to implement encryption and field-level data protection across all systems to tightly control who can see data in readable format, and how to manage this protection layer without impeding the organizations’ ability to operate.

Transparent Data Encryption (TDE) is a security technology used to protect sensitive data at rest by encrypting it on storage media, such as hard drives or databases. TDE works by automatically encrypting data as it is written to disk and automatically decrypting data as it is read from disk, without requiring any changes to the applications that access the data.

The encryption and decryption process is transparent to the user and applications, hence the name “transparent” data encryption. This means that data can be stored in an encrypted form, but still be accessible to authorized users without requiring them to enter any additional passwords or perform any manual decryption steps.

TDE typically uses strong encryption algorithms such as Advanced Encryption Standard (AES) to protect data, and the encryption keys are managed by the database management system or operating system to prevent unauthorized access. TDE provides an additional layer of security to protect sensitive data in case of data theft or loss of storage media.

Full Disk Encryption (FDE) is a security technology used to protect the data stored on a computer’s hard drive or other storage devices by encrypting the entire disk. When a disk is encrypted with FDE, all data stored on the disk, including the operating system, application files, and user data, is encrypted using a strong encryption algorithm.

FDE ensures that if an unauthorized person gains access to the computer or storage device, they will not be able to access the data without the encryption key. This provides an additional layer of security beyond the typical user authentication methods, such as passwords, which can be bypassed by someone with physical access to the device.

FDE can be implemented at the hardware level, such as through self-encrypting drives (SEDs), or at the software level, such as through operating system-level encryption software like BitLocker (Windows) or FileVault (macOS).

Volume Encryption is a security technology used to protect specific volumes or partitions on a storage device, rather than the entire disk as in Full Disk Encryption (FDE). When a volume is encrypted, all data stored on that volume is encrypted using a strong encryption algorithm.

Volume encryption allows users to encrypt only the data that is most sensitive, while leaving other data on the disk unencrypted. This can be useful in situations where the entire disk does not need to be encrypted, but specific volumes or partitions containing sensitive data need to be protected.

Volume encryption can be implemented at the hardware level, such as through self-encrypting drives (SEDs), or at the software level, such as through operating system-level encryption software like BitLocker (Windows) or FileVault (macOS).

Randtronics DPM easyCipher provides Transparent Data Encryption (TDE) protection of files and folders.

Files and folders protected can be entire databases or the contents of laptops, file servers, web servers or Network Attached Servers (NAS).

Randtronics DPM easyCipher is a two tier solution with a central management platform that defines and manages encryption policy and locally deployed agents that are responsible for encryption operations.

Randtronics TDE is implemented in a two-tier manager-agent architecture that provides three major advantages compared to using the TDE options provided by individual database vendors (native TDE):

  1. Protection for native TDE covers only the database. Randtronics TDE can extend protection to cover the entire contents of the database server plus any file server or laptop that holds reports or analytic materials based on database contents
  2. Native TDE is controlled by database administrators (DBAs).ᅠ ᅠRantronics TDE is centrally managed and monitored.
  3. Randtronics TDE offers the simplicity of a single, standardised method for encrypting any databases is deployed in a Windows, Linux or Kubernetes environment

Randtronics TDE offers fine-grained access control over what users and applications have access to any file or folder.

Full Disk Encryption (FDE) offers a simple open/locked protection for a hard disk.

FDE provides no protection between users or against hackers who typically access computers via network.ᅠ

Privileged users:ᅠ systems administrators (Sys Admins), database administrators (DBA’s) and application administrators by definition have the ability to perform far more activities than standard users.

Privileged User credentials are consequently highly prized by hackers wishing to circumvent security measures.

Many traditional data security measures focus on protecting a single platform and by necessity the administrator of that platform has the means of managing and hence circumventing security.ᅠ ᅠᅠ

Randtronics Data Privacy Manager is a policy-based data security platform that separates the management of data protection policies away from the control of Sys Admins, DBA’s and Application Administrators.

Enterprise Key Managers (EKMs) are data security platforms that securely manage encryption keys and digital certificates.

EKMs such as Randtronic’s DPM easyKey provide a centralized, standardized means of managing keys for multiple applications at scale.

Randtronics DPM easyKey is software-only key management solution that also has the capability to integrate and manage the key protection capabilities of hardware key stores.

 

Object-level data protection refers to encryption of whole files, folders, databases, file services and/or Network Attached Storage (NAS) devices.

Randtronics DPM easyCipher product provides object-level Transparent Data Encryption protection.ᅠ

Object-level protection has the advantage of being extremely simple to implement and rapid to deploy with minimal impact on users and processing times.

Field-level protection refers to the protection of content within flat files and databases.ᅠ Field-level protection methods include encryption, tokenization and data-masking.

Randtronics DPM easyData is a field-level data protection engine used to provide

i) Column level data protection to Oracle and MS SQL Server databases

ii) Field-level data protection for flat files, andᅠ

iii) Field-level data protections for data strings within applications

Increasingly public cloud platforms offer built-in encryption protection.

Users of Randtronics DPM storing data on public cloud platforms have the option to deepen the layers of protection with additional protections that are independent of the cloud platform provider.

Use cases include:

  • Key Sovereignty – exerting control over the physical location and security of encryption keys
  • Data-in-use – adding field-level protections such as tokenization, masking or anonymisation to allow data to be shared without compromising data security

Data at rest refers to data in storage.

Randtronics DPM enables organizations to store data in protected form and thus mitigate the risk of a cyber attack resulting in a data breach. 

Data in use refers to data being held in memory and being operated upon by a application.

Randtronics DPM provides organizations to mitigate the risk of data-in-use data breach through the use of tokenization, data-masking and data-anoymization techniques.

Data in transit refers to data being transferred between systems.

Randtronics DPM offers organizations multiple methods of protecting data-in-transit

i) Field-level protections: Tokenization, Data Masking and Anoymization allowing data to be transmitted and shared without risk of breach

ii) DPM easy2Go, a utility for encrypting files for sharing via insecure mediums or media with external users.   

Tokenization refers to the reversible substitution of protected data with a token.

Encryption refers to the reversible disguise of data using an encryption key.

Format preserving Tokenization and format-preserving encryption refers to restricting the choice of token characters or cipher text characters.  This is typically done to maintain alpha-only, numeric or alpha-numeric formats and thus maintain compatibility with systems that use strong data-types. 

The effectiveness of encryption systems in preventing data loss rests on three legs

a) Difficulty of breaking encryption – traditional encryption relies on the use of encryption keys that are mathematically hard to guess.ᅠ The growth in computing power has required keys to become longer.ᅠ ᅠ The introduction of quantum computers introduces the prospects of future computers being able to quickly break traditional keys and the need to replace keys with new generation of quantum-safe keys.ᅠ ᅠ A key advantage of enterprise key management systems such as DPM easyKey is the ability of organizations to centrally manage all encryption keys and digital certificates with the ability to easily upgrade keys with stronger variants over time

b) Difficulty of by-passing encryption – traditional encryption systems operate at the level of a single computer or database and are thus vulnerable to being bypassed by the privileged users responsibility for administering that platform.

c) Inability to find unprotected copies of sensitive dataᅠ – copies of sensitive data can exist in reports,ᅠ analytic systems, test data sets all of which need to be protected.ᅠ Hence a truly effective encryption systems needs to be able to sensitive protect data wherever it resides.

Database encryption is the process of converting plain text information into an unreadable code that can only be deciphered with a key or password.

This protects sensitive information from unauthorized access and theft of content.

The two main types of database encryption are

a) Transparent Data Encryption (TDE).ᅠ ᅠ After data is encrypted, data is transparently decrypted for authorized users or applications. TDE helps protect data stored on media (also called data at rest) in the event that the storage media or data file is stolen.

Depending on the implementation TDE be applied at the tablespace level (whole of database) or selectively at a Column level.

Many database vendors offer TDE solutions for selected version of their database products.ᅠ ᅠTypically the addition of TDE requires purchase of an additional licence.

Randtronics DPM easyCipher is a TDE product that sits outside of the database and can provide tablespace level TDE as well as protecting other files on the database folder such as report folders, analytics applications or other areas where potentially extracts of sensitive dataᅠ may exist.

Randtronics DPM easyCipher enables TDE protection for any database that runs in a Window/Linux or Kubernetes environment and thus can

b) Field-level Encryption

File-level encryption when integrated with an enterprise access control system (Randtronic DPM being an example) allows for multiple users to access IT systems whilst preserving the ability to grant or deny access to any user or application to a given file.

Full-Disk and Volume Encryption are basically either on or off – once unlocked, anyone can access anything.ᅠ ᅠᅠ

Full-Disk and Volume Encryption are often used to lock down data in the event that a device or hard-drive is physically stolen.ᅠ ᅠHowever, File-level encryption can also do this whilst a much deeper level of data protection

Starting with an illustration

Jane.Doe@gmail.com

In anonymized form might be

asfasdfas@dsdfdfsdf

Data that has been anonmyized is completely safe in the sense that that it is simply not possible to re-identity the individual by matching the scrambled data field with other records

Pseudonymized form might be:

asdfsfsf@gmail

Pseudonymized form still has some useful information – in this case gmail.com tells us that the person isn’t using a work account.     However, for example if the email address was something less generic then given access to a another list of user names and email it might be possible to rematch the record back to Jane Doe.

Examples of pseudonymization include obscuring all but the last 4 digits of a bank account number — so a clerk can distinguish between a customers various accounts but still not know the full account details.  

Historically, encryption protection an additional feature added to IT systems giving rise to a situation where an organization have may multiple, incompatible data protection ‘silos’,  each of which requires specialist skills to administer and of course,  changes in one do not automatically flow on.

By contrast a centralized policy-based management system for encryption, other forms of data protection and encryption keys provides a single point of administration.

The benefits of a centralized policy-based system include

  • consistency – ensuring that changes are automatically applied everywhere
  • role separation – data privacy can be administered independent of the IT organization.   Privileged IT accounts are prime targets for hackers and a centralised policy-based data protection system enables an organization to isolate privileged IT accounts from access to  sensitive data

Encryption keys come in four basic forms: symmetric, asymmetric, public and private.

Enterprise encryption systems typically use asymmetric, public and private keys as symmetric encryption systems have some significant limitations.

  • Symmetric encryption: Symmetric-key cryptography uses a single encryption keyᅠ for both encryption and decryption of data.ᅠᅠ
  • Asymmetric encryption:ᅠIn asymmetric keys, a pair of keys are used to encrypt and decrypt the data. Both keys are paired with each other and created at the same time. They are referred to as public and private keys
    • Public keysᅠprimarily encrypt the data and are only used to encrypt the data, not to decrypt
    • Private keysᅠare used to decrypt the data. This is the only key that can decrypt the encrypted data. Should be password-protected

Symmetric-key encryption has some advantages,ᅠ it doesn’t require a complex backend infrastructure and encrypt/decrypt algorithm is fast but there are some significant limitations and challenges, including:

  1. Key distribution: In order to use symmetric key encryption, both the sender and receiver need to have the same secret key. The key needs to be securely distributed, which can be challenging in some cases. If the key is intercepted by a third party, it could compromise the security of the encryption.

  2. Scalability: Symmetric key encryption is not scalable in large environments, where many users need to communicate with each other using encryption. This is because each pair of users needs to have a unique secret key, which becomes unmanageable as the number of users increases.

  3. Key management: Symmetric key encryption requires the secure storage and management of the secret key. This can be difficult to achieve, especially when dealing with large amounts of data or multiple users.

  4. Lack of authenticity: Symmetric key encryption does not provide authentication, meaning that the receiver cannot be certain that the message was sent by the intended sender. This can lead to security issues in some cases.

  5. Key rotation: Symmetric key encryption requires frequent key rotation to maintain the security of the encryption. This can be challenging to manage, especially in large environments.

Quantum computers have the potential to break many of the cryptographic systems that are currently in use.

Traditional cryptographic keys rely on mathematical algorithms that are difficult to solve, but not impossible. For example, the RSA encryption algorithm relies on the difficulty of factoring large numbers into their prime factors. However, quantum computers can solve this problem much faster than classical computers, which makes RSA vulnerable to attacks from quantum computers.

To address this vulnerability, researchers are developing new cryptographic algorithms that are designed to be resistant to quantum attacks. These algorithms are often based on different mathematical problems that are believed to be hard even for quantum computers.ᅠ

There are now several groups around the worldᅠ who have developed Quantum safe encryption keys systems (also known as post-quantum encryption keys).

Some organizations are starting to implement quantum safe encryption key systems now on the basis that the arrival of practical quantum computers capable of cracking current encryption codes is foreseeable with the danger that encrypted data captured today will be able to be decoded at a point in the near future.

Organizations that wish to future-proof their data privacy protection systems therefore need a mechanism whereby they can manage the introduction of new key systems over time.ᅠ ᅠThe use of an enterprise key management systems such as Randtronic DPM easyKey provides the means to introduce new key systems as and when required and gracefully manage the introduction of such keys across all systems managed by the key manager.

Letter from the CEO

Rantronics Logo

Thank you for visiting the Randtronics website.

We make enterprise encryption easy.

Smart businesses already know that only encryption can reduce the attack surface and stop the hackers from stealing their sensitive data. A company that only uses encryption is more secure than a company with all other cyber security measures. Privacy standards such as PCI DSS, HIPAA, and GDPR are all mandating in law the protection of the citizen’s personal data. Fines for breaches are huge. You won’t get fined if your firewall is hacked. You won’t get fined if you suffer a virus or ransomware attack. You WILL get fined if you lose ANY personal data pertaining to ANY citizen. The lowest common denominator is the DATA. Data that is “Encrypted” is out of the scope of the Law.

Whilst all understand the need to protect sensitive data holistically (such as NIST Cyber Security Framework or 12 prescriptive PCI DSS guidelines) their cyber security priorities are misguided to say easy aspects and not addressing “what happens” when these fail? Encryption of data is the only direct protection measure that renders data unreadable compared to upgrading firewalls or virus and malware, IPS, log monitoring, etc. I am saying you need all methods but unless you have implemented enterprise grade encryption you are still unprotected like driving a car without “seatbelts”. “Enterprise grade encryption” as a cyber measure is the “seat belt” that saves lives in car accidents. Industry experts predict a relentless continuation of data breaches this year and penetration testing have proven perimeter defense is easily penetrable.

Randtronics has taken the challenge to make encryption easy and is innovating in many areas. We have already reduced deployment effort to days, use familiar standard components so that less skilled people can deploy and maintain systems.
I welcome discussions via email or phone as through your feedback we will be challenged to continue to innovate to the point where businesses and users do not need to be intimidated when using encryption as the worlds most powerful tool to protect their sensitive data.

Experts predict data breaches will continue at relentless pace, let Randtronics secure your business with “Enterprise grade ubiquitous encryption technology”. Time is of the essence. Why not be pro-active? I invite you to let Randtronics and its global distributors and resellers assess and assist your business directly.

Yours sincerely,
Bob K Adhar, BE, MBA, CISSP
Founder and CEO