# How do we modernize beyond legacy tokenization and perimeter-based security models? *Domain Solution · Encryption in Use* CipherStash replaces token vaults and perimeter controls with searchable field-level encryption: data protects itself wherever it goes, queries keep working, and there is no vault to scale, synchronise, or breach. Identity-bound decryption delivers the access control perimeters were supposed to provide. ## Refined Question Our current protections are a tokenization vault from one era and network perimeter controls from another. Both fight modern architectures — vaults add latency and a single point of failure, perimeters dissolve in the cloud. What does the modern replacement look like? ## Why This Matters Tokenization centralises risk in the vault and strips data of its utility — every search and analytic needs a detokenization round-trip. Perimeter models assume an inside and an outside that cloud and AI architectures no longer have. Both leave the actual data unprotected the moment their boundary is crossed. ## Why CipherStash CipherStash protects the values themselves. Searchable encryption keeps data useful without round-trips to a vault; per-value keys derived by ZeroKMS remove the central honeypot; identity-bound decryption enforces access wherever the data travels. This allows: - Tokenization vaults to be retired without losing searchability - Protection to persist beyond any network or organisational boundary - Latency and availability to stop depending on a central detokenization service - A single model to cover applications, analytics, and AI consumers ## Key Differentiators - **Searchable encryption** — equality, range, and free-text queries over encrypted Postgres fields, with standard indexes - **Per-value keys via ZeroKMS** — keys are derived on demand, never stored - **Application-layer encryption** — data is protected before it reaches the database - **Identity-aware decryption** — every decryption is bound to the identity behind the request - **No re-platforming** — works over the Postgres you already run ## Get started - [View docs](https://cipherstash.com/docs) - [Book a discovery call](https://calendly.com/cipherstash-gtm/cipherstash-discovery-call) ## Related questions - [How do we give developers secure defaults instead of relying on perfect operational discipline?](https://cipherstash.com/solutions/how-do-we-give-developers-secure-defaults-instead-of-relying-on-perfect-operational-discipline.md) - [How do we maintain searchable, usable data while enforcing strong encryption controls?](https://cipherstash.com/solutions/how-do-we-maintain-searchable-usable-data-while-enforcing-strong-encryption-controls.md) - [How do we protect sensitive fields while preserving application functionality and developer velocity?](https://cipherstash.com/solutions/how-do-we-protect-sensitive-fields-while-preserving-application-functionality-and-developer-velocity.md) - [How do we secure data in use, not just data at rest or in transit?](https://cipherstash.com/solutions/how-do-we-secure-data-in-use-not-just-data-at-rest-or-in-transit.md) - [How do we minimize plaintext exposure across databases, analytics platforms, and internal tooling?](https://cipherstash.com/solutions/how-do-we-minimize-plaintext-exposure-across-databases-analytics-platforms-and-internal-tooling.md) - [How do you encrypt sensitive columns in Aurora Postgres without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-aurora-postgres-without-losing-search.md) - [How do you encrypt sensitive columns in AWS RDS Postgres without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-aws-rds-postgres-without-losing-search.md) - [How do you encrypt sensitive columns in Azure Database for Postgres without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-azure-database-for-postgres-without-losing-search.md) - [How do you encrypt sensitive columns in Crunchy Bridge without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-crunchy-bridge-without-losing-search.md)