Tandem is a data protection gateway built for SQL databases containing sensitive data.
Traditionally, databases expose data in plain text, risking leaks due to compromised credentials.
ETL and replication processes must be given full access to the database, further risking data.
With Tandem, an encryption layer protects data. Even with compromised credentials, Tandem secures data, enhancing system security.
Encryption-in-Use and fine-grained identity and access control deepen your data's defences, significantly reducing the chances of a breach.
Works in tandem with your existing stack.
Tandem runs privately in your own cloud or on-premise environment. Your data never leaves your systems.
No code required
No changes required to existing apps, integrations, or data analysis workflows. It's truly plug-and-play.
Precision access control
Sensitive access must be via Tandem, enabling fine-grained identity and access control policies down to the database row level.
Automatic secrets rotation
Tandem automatically rotates database credentials on a regular basis, reducing the risk of credential theft.
Pipelined and multithreaded
Written in Rust, Tandem is fast and efficient, and can handle thousands of concurrent connections.
Data integrity protection
Tandem has built in data integrity protection using cryptographic tags which verify that data has not been modified.
Ready to protect your data?
Book a 30 minute demo to see how CipherStash can solve your data protection challenges.Book a Demo
Designed for today's threat landscape.
The CipherStash platform incorporates several groundbreaking products that work together to protect your data.
Key management ready for a zero trust future.
Fast and secure, ZeroKMS is the CipherStash key management system, bringing the protection of zero trust to complex data environments where decryption isn’t just done on the server but in the app, in the browser or on the desktop. Designed so that neither the client nor the server needs to be fully trusted, ZeroKMS nullifies the security risks present in traditional trust-based key management.
Encryption-in-Use for any database or warehouse. No code required.
A high-performance searchable encryption proxy that truly works out of the box, requiring no changes to your apps, codebase or data analysis workflows. Ready for deployment at scale with full PostgreSQL support and beta support for SQL Server.
Data governance dashboard for your entire data estate.
Give your administrators and analysts total visibility and control over the who, what and when of your data. Command brings together auditing, policy management, anomaly detection, alerting and logging, allowing you to gain critical data governance insights.
The CipherStash Data Governance Framework.
A four step approach to data loss prevention in today's complex threat landscape.Download the Whitepaper
Frequently asked questions.
If you can't find what you're looking for, email our support team and someone will get back to you shortly.
Does Tandem only support PostgreSQL?
For now, yes though we have several more integrations in the works including AWS Redshift, Microsoft SQL and Google BigQuery.
How does Encyption-in-Use prevent data-breaches?
Encryption-in-Use hides data until an authorized user needs to access it, reducing the risk of unauthorized access. CipherStash's unique key for every field in every record allows for precise permission control, and the key server logs every access for auditing and quick issue resolution.
Does it work with cloud-managed PostgreSQL?
Yes! PostreSQL hosted in AWS, Azure and Google Cloud are all supported. In fact, any PostgreSQL database later than 14.0 will work.
Does the database decrypt data to run queries?
Never. CipherStash uses searchable encryption which means that both data and queries are encrypted in the client before reaching the database. Results are returned by using a fast cryptographic compare function on the server which never sees the data.
Doesn't TLS already protect the data?
TLS protects against network interceptions but not against database breaches. If the database credentials are compromised, TLS doesn't provide any protection. Another way you can think of Encryption-in-Use is like 2FA for your database!
Will our ETL tools still work?
Yes, standard clients and database tools can still connect as normal. Now, however, you can prevent them from accessing sensitive data. For example, nightly sync processes can transfer encrypted data between databases without ever decrypting it.
How does Tandem compare to Transparent Data Encryption (TDE)?
TDE protects data at rest, but not when it is in use. Tandem protects data at rest, in use and in transit. TDE also requires the database to decrypt the data before it can be used, which means that the database must be trusted. Tandem does not require the database to be trusted, and the database never sees the data in plain text.
How does Tandem compare to Always Encrypted?
Always Encrypted is a feature of Microsoft SQL Server which encrypts data in the client before sending it to the database. Unlike Always Encrypted, Tandem uses Searchable Encryption which allows the database to perform queries on the encrypted data without ever decrypting it. Tandem can also be used with any database, not just Microsoft SQL Server.
How do I run Tandem in my environment?
Tandem is a containerized application which can be deployed in any Kubernetes environment. We also provide a Helm chart for easy deployment. Tandem can also be deployed in a virtual machine or bare metal environment.