LEARN MORE ABOUT CYBERCRYPT D1
DATA PROTECTION IN CYBERCRYPT D1
CYBERCRYPT D1 protects data with FIPS-compliant cryptography using cryptographic mechanisms according to FIPS 197, NIST SP 800-38D, NIST SP 800 133, NIST SP 800-38F, NIST SP 800-56C, and more.
Key Management through KMS/HSM
CYBERCRYPT D1 integrates with the existing KMS/HSM in your environment such as AWS KMS, GCP KMS, Azure KMS, cloud HSM, KMIP, etc. to enable individual data-point keys.
CYBERCRYPT D1 encrypts and authenticates data using cryptographic algorithms that will remain secure even under the quantum threat to ensure the long-term security of your data.
CYBERCRYPT D1 allows for efficient search of encrypted data using cutting-edge searchable encryption techniques. That is, you don’t need to decrypt your data to perform searches on it.
CYBERCRYPT D1 adds another full layer of protection around your relational data stored in traditional Relational Database Management Systems (RDBMS) based on the principles of zero trust and defense in depth.
Object storage is not limited to S3, so CYBERCRYPT D1 also supports any generalized blob storage such as Azure Blob Storage, Google Cloud Storage, local file systems such as ext4 and NTFS, etc.
S3 objects should be protected with application-layer encryption to ensure data is only accessible to workloads and processes that are explicitly authorized, which thwarts double extorsion ransomware attacks, among others.
OAuth 2.0 / OIDC
CYBERCRYPT D1 integrates with any modern IAM solutions supporting OIDC, including Azure AD, AWS IAM, GCP IAM, Keycloak and more. It supports claim-based authorization flows, among others.
Access to each individual object protected with CYBERCRYPT D1 is subject to a unique authorization. This object-level authorization can be user-based, group-based or claim-based.
You can define the scope of the operation, e.g., read or write, for each authorization. This allows for a very strong least-privileged access model: For instance, the data producer may not need read access to the data.
Access to data — both reading and writing — is cryptographically enforced for each data point with the right combination of a unique individual key and an individual authorization claim.
CYBERCRYPT D1 is a microservice designed and enabled for easy deployment into existing Kubernetes clusters. It can be deployed in various modes such as stand-alone service or sidecar-injected containers.
All CYBERCRYPT D1 components are built with Docker in mind and comply with the OCI specification. All images are built using minimal images leveraging Distroless images as base or even Scratch.
CYBERCRYPT D1 comes with Helm charts out of the box, allowing you to get started quickly. The defaults in the Helm charts are easily replaceable with customer configuration and integrations.
Easy Getting-Started scripts
Deploying a microservice architecture can quickly become complicated, however with the CYBERCRYPT D1 release there is a collection of ready-made scripts that will make any deployment much easier to handle.
The CYBERCRYPT D1 services are built with the Twelve-Factor App principles in mind, including logs, which are treated as event streams, making it an easy task to integrate the services into any SIEM solution.
All access events in CYBERCRYPT D1 are exported as auditable events making it straightforward to monitor access to any data protected with the service. Along with access, the scope requested is also logged together with the event sequence during access.
gRPC for In-Cluster
The default API for CYBERCRYPT D1 is exposed using the gRPC protocol, enabling automatic creation of clients in nearly any language. The protocol is well suited for transfering of large binary data over the network.
Ready for Edge Computing
CYBERCRYPT D1 can be deployed as part of your edge computing environment to enable protection of data as close to the source as possible. This ensures integrity and confidentiality of the data all the way through to collection and processing.
CYBERCRYPT D1 is designed to work in microsegmented networks where the zone of trust is as small as possible. This improves breach containment and reduces the attack surface of your deployments.
Secure Key Distribution Channel
Optionally, your DevSecOps team can establish a secure connection from CYBERCRYPT D1 to your centralized key management system using CYBERCRYPT K1. This allows for integrations with your existing on-premise HSMs or with cloud KMS systems in other environments.
SEAMLESS INTEGRATION WITH IAM AND KEY MANAGEMENT