Data Privacy Manager (DPM)
Enterprise Encryption Management
Protect your sensitive data, across all your systems
Randtronics is a global leader in enterprise encryption management whose Transparent Data Encryption (TDE), Masking / Tokenization, Key Management and related data-privacy products are used by over 200 customers across 20 countries.
Randtronics is trusted by banks, government agencies and telecommunications service providers and many others to:
Randtronics Data Privacy Manager (DPM) is a 100% software-only data security platform that manages encryption protections for structured and unstructured data on-premise and on-cloud.
- Universal, centralized key management to FIPs 140-2/3 Level 3/4 and Common Criteria EAL 4+/5+
- Encryption, format preserved encryption, tokenization and masking
- No-code change Transparent Data Encryption (TDE) for Windows and Linux environments
- No-code change field-level protection (FLP) for MS-SQL Server and Oracle Database and flat files
- Low-code API protection for any field-level protection (FLP) for any application-database stored anywhere
- Data sovereignty assurance: total control of where data and keys are stored and used
- Shared file encryption to protect files shared across Dropbox, email, OneDrive, Google Drive, FTP
Randtronics DPM protects your sensitive data everywhere
Watch how straightfoward protecting data becomes using Randtronics DPM
Implement transparent data encryption or field-level protection for any database application
Protect File Servers
Implement transparent data encryption on any file store on any physical or virtual Windows or Linux platform
Centralize and simplify enterprise key management
Protect Data in Transit
Protect files being shared by any electronic medium or media to ensure materials can only be read by the intended recipient
Simplify and strengthen your enterprise encryption
protection, quickly, simply with no fuss
- Standardize encryption management across multiple DB vendor technologies
- Standardize encryption management for all Windows/Linux VM or Kubernetes container environments on-premise, or on-cloud
- Standardize key management for all encryption keys and digital certificates
- Role separation of data privacy protection management with air-gap separation from the IT Organization
Maintain data privacy and confidentiality before, during and after ransomware attack for any type of data.
Encrypt any type of sensitive data stored within files from any location.
Easily maintain privacy by de-identifying data in files, app, web applications and databases.
Encrypt your data in containers with in public clouds and on-prem.
Maintain data sovereignty whilst using public clouds and outsourced providers.
Try Randtronics DPM today
Book your own instant proof of concept, right now!
White Papers & Case Studies
Why Choose Randtronics?
- Randtronics encryption products are in use with over 200 customers in more than 20 countries.
- Sole focus on tools to simplify the implementation of effective, policy-based protections for your sensitive data.
- Transparent encryption, masking, pseudonymization, tokenization or anonymization – supporting all your cryptographic-based protection needs as encryption- based technologies continue to evolve.
- used by customers protecting regulated (HIPAA, PCI
DSS, international Data Privacy Laws) data.
- used by agencies protecting top-secret information.
- protects structured and unstructured data.
- laptops, Kubernetes containers, multi-vendor
cloud and any Windows/Linux based server/ VM (web, app, database, file, CRM, ERP systems, etc).
- Policy-driven and fully auditable.
- Single skillset for managing data privacy across all your
- Build and consistently implement policy-based privacy
management of data and keys.
- Improve auditability – demonstrable role segregation
between data privacy, sensitive data and IT organization.
- Implement the highest data sovereignty assurance levels – full control of location of keys and total control of data privacy.
- Plug and play key management integration.
- Policy-driven key lifecycle and location.
- Protect your data without slowing you down.
- No-code integration with multi-vendor HSM for key assurance to FIPS140-2/3 level 3/4, Common Criteria EAL 4+/5+.
- Transparent Database Encryption protection of any databases and file stores on Windows and Linux platforms.
- Point and click protection for Oracle and MS SQL field-
- Low-code API integration for non Oracle/MS SQL Server
databases and applications.
- Encryption, tokenization and format preserved encryption routines optimized for efficiency.
Latest news and articles
This week the news broke that Mandiant (an incident response firm) attributed the recent cyberattack campaign targeting customers utilizing Barracuda’s Email Security Gateway to hackers
Frequently Asked Questions (FAQ)
Encryption is a method of protecting or concealing confidential data from preying eyes or unauthorised people.
Encryption is the process of encoding data, making it unintelligible and scrambled to prevent unauthorized access. Typically, encrypted data is also paired with an encryption key, and only those that possess the key will be able to open it. Encryption is the most effective way to achieve data security.
Unencrypted data is called plain text. Encrypted data is referred to as cipher text.
Encryption and field-level data privacy protection is now an essential requirement.
Cyber protection is an arms race and sophisticated attackers continue to demonstrate their ability to penetrate the defenses of technically sophisticated organizations.
Relying on good fortune is not an option and business leaders must assume that attackers will at some point penetrate their external perimeter and thus must ensure that sensitive data is not stored in readable format with the ability to read this information tightly controlled.
Encryption is becoming a legal necessity for all organizations with increasingly stiff penalties for organizations that fail to comply. Personal data protection legislation such as the EU’s GPDR are imposing new data protection obligations on top of industry specific requirements and best practices such HIPAA for health records and PCI-DSS for payment
The big questions today are no longer ‘should we use encryption’ but are instead ‘how’ to implement encryption and field-level data protection across all systems to tightly control who can see data in readable format, and how to manage this protection layer without impeding the organizations’ ability to operate.
Transparent Data Encryption (TDE) is a security technology used to protect sensitive data at rest by encrypting it on storage media, such as hard drives or databases. TDE works by automatically encrypting data as it is written to disk and automatically decrypting data as it is read from disk, without requiring any changes to the applications that access the data.
The encryption and decryption process is transparent to the user and applications, hence the name “transparent” data encryption. This means that data can be stored in an encrypted form, but still be accessible to authorized users without requiring them to enter any additional passwords or perform any manual decryption steps.
TDE typically uses strong encryption algorithms such as Advanced Encryption Standard (AES) to protect data, and the encryption keys are managed by the database management system or operating system to prevent unauthorized access. TDE provides an additional layer of security to protect sensitive data in case of data theft or loss of storage media.
Full Disk Encryption (FDE) is a security technology used to protect the data stored on a computer’s hard drive or other storage devices by encrypting the entire disk. When a disk is encrypted with FDE, all data stored on the disk, including the operating system, application files, and user data, is encrypted using a strong encryption algorithm.
FDE ensures that if an unauthorized person gains access to the computer or storage device, they will not be able to access the data without the encryption key. This provides an additional layer of security beyond the typical user authentication methods, such as passwords, which can be bypassed by someone with physical access to the device.
FDE can be implemented at the hardware level, such as through self-encrypting drives (SEDs), or at the software level, such as through operating system-level encryption software like BitLocker (Windows) or FileVault (macOS).
Volume Encryption is a security technology used to protect specific volumes or partitions on a storage device, rather than the entire disk as in Full Disk Encryption (FDE). When a volume is encrypted, all data stored on that volume is encrypted using a strong encryption algorithm.
Volume encryption allows users to encrypt only the data that is most sensitive, while leaving other data on the disk unencrypted. This can be useful in situations where the entire disk does not need to be encrypted, but specific volumes or partitions containing sensitive data need to be protected.
Volume encryption can be implemented at the hardware level, such as through self-encrypting drives (SEDs), or at the software level, such as through operating system-level encryption software like BitLocker (Windows) or FileVault (macOS).
Randtronics DPM easyCipher provides Transparent Data Encryption (TDE) protection of files and folders.
Files and folders protected can be entire databases or the contents of laptops, file servers, web servers or Network Attached Servers (NAS).
Randtronics DPM easyCipher is a two tier solution with a central management platform that defines and manages encryption policy and locally deployed agents that are responsible for encryption operations.
Randtronics TDE is implemented in a two-tier manager-agent architecture that provides three major advantages compared to using the TDE options provided by individual database vendors (native TDE):
- Protection for native TDE covers only the database. Randtronics TDE can extend protection to cover the entire contents of the database server plus any file server or laptop that holds reports or analytic materials based on database contents
- Native TDE is controlled by database administrators (DBAs).ﾠ ﾠRantronics TDE is centrally managed and monitored.
- Randtronics TDE offers the simplicity of a single, standardised method for encrypting any databases is deployed in a Windows, Linux or Kubernetes environment
Randtronics TDE offers fine-grained access control over what users and applications have access to any file or folder.
Full Disk Encryption (FDE) offers a simple open/locked protection for a hard disk.
FDE provides no protection between users or against hackers who typically access computers via network.ﾠ
Privileged users:ﾠ systems administrators (Sys Admins), database administrators (DBA’s) and application administrators by definition have the ability to perform far more activities than standard users.
Privileged User credentials are consequently highly prized by hackers wishing to circumvent security measures.
Many traditional data security measures focus on protecting a single platform and by necessity the administrator of that platform has the means of managing and hence circumventing security.ﾠ ﾠﾠ
Randtronics Data Privacy Manager is a policy-based data security platform that separates the management of data protection policies away from the control of Sys Admins, DBA’s and Application Administrators.
Enterprise Key Managers (EKMs) are data security platforms that securely manage encryption keys and digital certificates.
EKMs such as Randtronic’s DPM easyKey provide a centralized, standardized means of managing keys for multiple applications at scale.
Randtronics DPM easyKey is software-only key management solution that also has the capability to integrate and manage the key protection capabilities of hardware key stores.
Object-level data protection refers to encryption of whole files, folders, databases, file services and/or Network Attached Storage (NAS) devices.
Randtronics DPM easyCipher product provides object-level Transparent Data Encryption protection.ﾠ
Object-level protection has the advantage of being extremely simple to implement and rapid to deploy with minimal impact on users and processing times.
Field-level protection refers to the protection of content within flat files and databases.ﾠ Field-level protection methods include encryption, tokenization and data-masking.
Randtronics DPM easyData is a field-level data protection engine used to provide
i) Column level data protection to Oracle and MS SQL Server databases
ii) Field-level data protection for flat files, andﾠ
iii) Field-level data protections for data strings within applications
Increasingly public cloud platforms offer built-in encryption protection.
Users of Randtronics DPM storing data on public cloud platforms have the option to deepen the layers of protection with additional protections that are independent of the cloud platform provider.
Use cases include:
- Key Sovereignty – exerting control over the physical location and security of encryption keys
- Data-in-use – adding field-level protections such as tokenization, masking or anonymisation to allow data to be shared without compromising data security
Data at rest refers to data in storage.
Randtronics DPM enables organizations to store data in protected form and thus mitigate the risk of a cyber attack resulting in a data breach.
Data in use refers to data being held in memory and being operated upon by a application.
Randtronics DPM provides organizations to mitigate the risk of data-in-use data breach through the use of tokenization, data-masking and data-anoymization techniques.
Data in transit refers to data being transferred between systems.
Randtronics DPM offers organizations multiple methods of protecting data-in-transit
i) Field-level protections: Tokenization, Data Masking and Anoymization allowing data to be transmitted and shared without risk of breach
ii) DPM easy2Go, a utility for encrypting files for sharing via insecure mediums or media with external users.
Tokenization refers to the reversible substitution of protected data with a token.
Encryption refers to the reversible disguise of data using an encryption key.
Format preserving Tokenization and format-preserving encryption refers to restricting the choice of token characters or cipher text characters. This is typically done to maintain alpha-only, numeric or alpha-numeric formats and thus maintain compatibility with systems that use strong data-types.
The effectiveness of encryption systems in preventing data loss rests on three legs
a) Difficulty of breaking encryption – traditional encryption relies on the use of encryption keys that are mathematically hard to guess.ﾠ The growth in computing power has required keys to become longer.ﾠ ﾠ The introduction of quantum computers introduces the prospects of future computers being able to quickly break traditional keys and the need to replace keys with new generation of quantum-safe keys.ﾠ ﾠ A key advantage of enterprise key management systems such as DPM easyKey is the ability of organizations to centrally manage all encryption keys and digital certificates with the ability to easily upgrade keys with stronger variants over time
b) Difficulty of by-passing encryption – traditional encryption systems operate at the level of a single computer or database and are thus vulnerable to being bypassed by the privileged users responsibility for administering that platform.
c) Inability to find unprotected copies of sensitive dataﾠ – copies of sensitive data can exist in reports,ﾠ analytic systems, test data sets all of which need to be protected.ﾠ Hence a truly effective encryption systems needs to be able to sensitive protect data wherever it resides.
Database encryption is the process of converting plain text information into an unreadable code that can only be deciphered with a key or password.
This protects sensitive information from unauthorized access and theft of content.
The two main types of database encryption are
a) Transparent Data Encryption (TDE).ﾠ ﾠ After data is encrypted, data is transparently decrypted for authorized users or applications. TDE helps protect data stored on media (also called data at rest) in the event that the storage media or data file is stolen.
Depending on the implementation TDE be applied at the tablespace level (whole of database) or selectively at a Column level.
Many database vendors offer TDE solutions for selected version of their database products.ﾠ ﾠTypically the addition of TDE requires purchase of an additional licence.
Randtronics DPM easyCipher is a TDE product that sits outside of the database and can provide tablespace level TDE as well as protecting other files on the database folder such as report folders, analytics applications or other areas where potentially extracts of sensitive dataﾠ may exist.
Randtronics DPM easyCipher enables TDE protection for any database that runs in a Window/Linux or Kubernetes environment and thus can
b) Field-level Encryption
File-level encryption when integrated with an enterprise access control system (Randtronic DPM being an example) allows for multiple users to access IT systems whilst preserving the ability to grant or deny access to any user or application to a given file.
Full-Disk and Volume Encryption are basically either on or off – once unlocked, anyone can access anything.ﾠ ﾠﾠ
Full-Disk and Volume Encryption are often used to lock down data in the event that a device or hard-drive is physically stolen.ﾠ ﾠHowever, File-level encryption can also do this whilst a much deeper level of data protection
Starting with an illustration
In anonymized form might be
Data that has been anonmyized is completely safe in the sense that that it is simply not possible to re-identity the individual by matching the scrambled data field with other records
Pseudonymized form might be:
Pseudonymized form still has some useful information – in this case gmail.com tells us that the person isn’t using a work account. However, for example if the email address was something less generic then given access to a another list of user names and email it might be possible to rematch the record back to Jane Doe.
Examples of pseudonymization include obscuring all but the last 4 digits of a bank account number — so a clerk can distinguish between a customers various accounts but still not know the full account details.
Historically, encryption protection an additional feature added to IT systems giving rise to a situation where an organization have may multiple, incompatible data protection ‘silos’, each of which requires specialist skills to administer and of course, changes in one do not automatically flow on.
By contrast a centralized policy-based management system for encryption, other forms of data protection and encryption keys provides a single point of administration.
The benefits of a centralized policy-based system include
- consistency – ensuring that changes are automatically applied everywhere
- role separation – data privacy can be administered independent of the IT organization. Privileged IT accounts are prime targets for hackers and a centralised policy-based data protection system enables an organization to isolate privileged IT accounts from access to sensitive data
Encryption keys come in four basic forms: symmetric, asymmetric, public and private.
Enterprise encryption systems typically use asymmetric, public and private keys as symmetric encryption systems have some significant limitations.
- Symmetric encryption: Symmetric-key cryptography uses a single encryption keyﾠ for both encryption and decryption of data.ﾠﾠ
- Asymmetric encryption:ﾠIn asymmetric keys, a pair of keys are used to encrypt and decrypt the data. Both keys are paired with each other and created at the same time. They are referred to as public and private keys
- Public keysﾠprimarily encrypt the data and are only used to encrypt the data, not to decrypt
- Private keysﾠare used to decrypt the data. This is the only key that can decrypt the encrypted data. Should be password-protected
Symmetric-key encryption has some advantages,ﾠ it doesn’t require a complex backend infrastructure and encrypt/decrypt algorithm is fast but there are some significant limitations and challenges, including: