Concepts

CipherStash Proxy

CipherStash Proxy helps you protect sensitive data in your SQL databases with no downtime or changes to client applications.

CipherStash Proxy enhances your existing PostgreSQL database with Encryption-in-Use, data access event monitoring and fine-grained access control.

CipherStash Proxy works in-tandem with your existing infrastructure and is fully contained within your environment.

CipherStash Proxy is simple to deploy and completely transparent to any existing PostgreSQL client.

What problem is CipherStash Proxy solving?

CipherStash Proxy is the foundation that brings advanced auditing, identification, and encryption to PostgreSQL.

Audit

Auditing PostgreSQL data access requires a log of the actual records accessed connected with the identity of the user making the access request. PostgreSQL can log database statements, but a record of the executed SQL is not sufficient for understanding the actual records or rows returned. Analysis requires effort to combine logs from multiple services as there is often no single source of truth. Determining the extent of a data breach can be manual and time consuming.

CipherStash Proxy tracks data access events in real-time by connecting sql statements with the actual records returned, and enabling applications to associate client identity.

Identify

Complete visibility of data access requires the capability to identify the user making the access request.

Database access is often tied to deployed application or service rather than an actual user identity. Applications connect to the database on behalf of users, creating an identity mismatch. PostgreSQL does have role-based authentication, but in most cases it is used to narrow the permissions for the database connection initatied by an application. Associating database access controls with an individual identity requires additional effort and is not covered by database statement logging.

CipherStash Proxy enables end-user identity to be passed through and associated with data access.

Encrypt

Protecting data is much simpler if the data is encrypted. We have the technology to protect data, but the state of the art is not good enough.

Data is encrypted-at-rest but plaintext-in-use. Anyone connected to the database has full access to the plaintext. Loocking data access to the field level with strict access controls is possible, but again runs our good friend, identity impedance mismatch. Encrypting data inside the database is possible, but requires engineering effort and deep expertise in cryptography. Not all teams have the capacity to combine AES 256 and envelope encryption within a bloom filter structure to enable secure full-text search capabilities on encrypted data.

CipherStash Proxy enables searchable encryption-in-use to protect data continuously.

<a name="stack"></a> Where CipherStash Proxy lives in the stack

The CipherStash Proxy is available as a Docker container and can be deployed in public or private cloud, on premises, and on any container runtime environment. The Proxy speaks the PostgreSQL protocol, based on the open source pgcat.

To any connecting client, the CipherStash Proxy should be indistinguishable from PostgreSQL.

The Proxy can be deployed:

  • as single logical service managing database access across the container environment
  • as multiple services managing database access aligned with specific services
  • baked into a Docker image managing database access within a single container

In development and CI, the Proxy can be managed with Docker compose or similar tools.

In production CipherStash Proxy can be deployed into your existing container infrastructure.

Multiple instances can be deployed behind a load balancer for resilience.

Additionally, CipherStash Proxy is available as a binary for both amd64 and arm64 architectures. CipherStash can work with you to find the right deployment approach for your environment.

Deployment

Deploy to container environment

Deploy to any container environment that supports Docker. Basic Container Deployment

Load balanced deployment

Load balance traffic across several proxy instances for additional resilience. Load Balanced

What CipherStash Proxy does

CipherStash Proxy mediates access to your PostgreSQL database and analyses your SQL in real-time to Audit, Identify, and Encrypt. It:

  • enables services to associate client identity and other contextual information with sql statements
  • captures the record identifiers of data in transit
  • creates a complete audit log of all sql statements, record ids, associated identity and context
  • transparently encrypt and decrypt data without complex engineering

Proxy in Action

Audit

CipherStash Proxy connects to records to track data access events in real time.

See CipherStash Audit for further details.

Primary key injection

Primary key injection connects SQL statements to record identifiers.

Primary key injection transparently ensures that any data access event includes the actual record identifiers. No need to instrument or change your SQL.

CipherStash Proxy uses the database schema to identify sql statements that do not reference a primary key. It injects the missing primary keys into the SQL before execution. Primary keys of accessed records can then be tracked with the data access event. The data is cleaned from the response before it is sent to the client.

The performance impact on the database is neglible as the primary key is by definition indexed, and the referenced tables are already present in the SQL statement.

When combined with CipherStash Identify, the events are also linked to client identity, providing an end-to-end view of data access.

Record reconciliation

Record reconciliation extracts the record identifiers, maps them to the appropriate tables, and includes them in the data access event payload sent to Audit.

Injected primary keys are always removed from the sql results before being returned. The process is internal to the CipherStash Proxy, the format of the result set always matches the original query.

Identify

CipherStash Proxy enables end-user identity to be passed through and associated with data access.

See End-to-End Identity.

Passthrough identity

Passthrough Identity enables you to connect every SQL statement with real-world identity.

Using a custom SET IDENTITY sql command, an end-user JWT is passed to the Proxy and validated.

CipherStash Proxy uses the CipherStash Token Service to verify the JWT, extracts subject (sub) and audience (aud) data from the token, and associates this client identity information with data access events.

See Set Identity.

Passthrough context

Passthrough context provides the flexibility to associate any contextual data with the execution of any SQL statement.

Using a custom SET CONTEXT sql command, a JSON object of key/values is passed to the Proxy and validated. This context information is associated with any data access events for auditing.

See Set Context.

Encrypt

CipherStash Proxy enables searchable encryption-in-use to protect data continuously. It supports several different types of encryption:

  • column encryption using AES256
  • Order Revealing Encryption (ORE) for encrypted sorting and filtering
  • full-text searchable encryption using AES 256 and envelope encryption with Bloom Filters
  • encrypted exact matching using HMAC with SHA-256 Encryption

Columns in the database can be configured to use one or more of the different encryption options. Every record is encrypted with a unique key using our Zero Trust Key Management Service.

In Encrypted mode, CipherStash Proxy inspects your incoming SQL statements, and transparently maps the SQL to access any configured encrypted columns. Data is automatically encrypted on write (insert and update) and decrypted on read (select). The underlying mechanics are totally hidden from your application and existing database access code does not need to change.

What signals CipherStash Proxy emits

CipherStash Proxy provides:

  • detailed SQL statement logging for development
  • auditable data access event logging for use with the Audit application
  • detailed Prometheus metrics for monitoring and alerting

Encryption-in-use

Encryption-in-use offers a practical, production-ready solution to the cause of most data breaches.

Read the whitepaper authored by cryptography expert and CipherStash CEO Dan Draper.

Previous
Enabling encrypted SQL
Next
ZeroKMS: Zero trust key management