SaaS Shield
Add application-layer encryption, data controls, and data transparency to your cloud app.
Application security encryption platform that protects your data
Reduce risk by protecting data at the application layer
Application-layer encryption (ALE) provides strong protection against breaches, creates robust access controls, and doesn’t limit data usability when combined with Cloaked Search.
Scale up customer-managed keys for enterprise customers
If you’re moving upmarket to sell to enterprise customers or currently have enterprise customers who want advanced security features, CMK is a must-have. Smoothly launch your new CMK product with SaaS Shield.
Use technical solutions to comply with murky regulations
There’s a lot of confusion surrounding U.S. companies and their ability to hold EU personal data and PII. SaaS Shield helps you comply with ever-changing regulations so you can confidently operate within the EU.
Safeguard your data with developer-proof cryptography
Developers aren’t cryptographers, and they don’t need to be. Get things right from the start with an encryption solution built by experts in cryptography and secure product design.
The Business Case
Good for your customers and great for your business
Offering advanced encryption and security options will help you sell into new markets, to larger companies, and will help you diffentiate from your toughest competitors. In most cases, you'll be able to charge more for the premium levels of privacy and security, which means your investment comes back with interest.
Developer friendly
Built for easy integration and quick adoption
- Sample code and examples
- Versioned API changes
- Zero crypto decisions
- Powerful tooling
- Fast performance
- Low resource usage
- Massive scalability
- Configuration-driven
JavaScriptconst document = { ssn: Buffer.from("000-12-2345", "utf-8"), address: Buffer.from("2825-519 Stone Creek Rd, Bozeman, MT 59715", "utf-8"), name: Buffer.from("Jim Bridger", "utf-8"), }; client.encrypt(document, metadata).then((encrypted) => { const edek = encrypted.edek; const encryptedFields = encrypted.encryptedDocument; // Store both edek and fields in your persistence layer });
JavaMap<String, byte[]> document = new HashMap<>(); document.put("ssn", "000-12-2345".getBytes("UTF-8")); document.put("address", "2825-519 Stone Creek Rd, Bozeman, MT 59715".getBytes("UTF-8")); document.put("name", "Jim Bridger".getBytes("UTF-8")); client.encrypt(document, metadata).thenCompose(encrypted -> { String edek = encrypted.getEdek(); Map<String, byte[]> fields = encrypted.getEncryptedFields(); //Store both edek and fields in your persistence layer })
PHP$document = [ "ssn" => new Bytes("000-12-2345"), "address" => new Bytes("2825-519 Stone Creek Rd, Bozeman, MT 59715"), "name" => new Bytes("Jim Bridger") ]; $encrypted = $client->encrypt($document, $metadata); $edek = $encrypted->getEdek(); $encryptedFields = $encrypted->getEncryptedFields(); // Store both edek and fields in your persistence layer
Godocument := tsc.PlaintextDocument{ "ssn": []byte("000-12-2345"), "address": []byte("2825-519 Stone Creek Rd, Bozeman, MT 59715"), "name": []byte("Jim Bridger"), } encrypted, err := tenantSecurityClient.Encrypt(ctx, document, &metadata) edek := encrypted.Edek encryptedFields := encrypted.EncryptedFields // Store both edek and fields in your persistence layer
Future-proof
Be crypto-agile and ready for post-quantum crypto
Allows per-data segment choices on encrypted data that can change and evolve over time with efficient ways to re-key data when necessary. And you can be post-quantum ready today.
Read more →
Works everywhere
Integrates with almost any cloud environment and data store
Private by design
Meet the strictest data privacy laws including post-Schrems II handling of EU personal data by U.S. companies
Most privacy laws require privacy and security by design and strong protections of data, but the EU has taken that even further by making sure that any law enforcement or government access to data has to go through channels designed to protect the targets. Customer-held encryption keys can be used to solve this problem.
Read more →
How it works
Architected so IronCore Labs never sees sensitive data or keys
Data is encrypted and decrypted either in the proxy (like the S3 proxy) or in the SDK inside your application. Key management is handled in the Tenant Security Proxy docker container, which lives in your infrastructure and scales horizontally. Its job is to interact with one or more KMSes and keep secrets and sensitive configuration data safe.
Finally, the Configuration Broker is a cloud service that guides you or your customers through setting up and integrating KMSes and audit trail targets. The configuration data it receives is end-to-end encrypted and can’t be read by anyone at IronCore Labs.
Getting started
Integration and deployment is straightforward
- Step 1: Set up your vendor account on our end-to-end encrypted Configuration Broker.
- Step 2: Install the Tenant Security Proxy docker container in your infrastructure.
- Step 3: Get encrypting by adding relevant proxies (S3, OpenSearch, Elasticsearch) or integrating SDKs.
Some of our biggest customers were asking for advanced privacy features to better secure their data. We knew that to meet those needs, and meet them quickly, we would need to partner with someone who lives and breathes data privacy and security, and that's what we found in IronCore Labs.
Key features
All the advanced security features your customers want
Advanced encryption
Application-layer encryption keeps data safe from breaches
Data isolation
Per-tenant keys make wholesale database scraping difficult
Audit trails
Real-time streams of audit trails and security logs directly to customers
HYOK
Customers gain control of their data by holding their own keys
KMS freedom
Flexibility to store the key and data separately even cross-cloud
Crypto-agile
Rotate algorithms, key sizes, KMSes, and more
BYO storage
Bring your own storage - anything works
Data-in-use encryption
Exact matches with deterministic encryption or integrate with Cloaked AI and Cloaked Search
Data residency
Restrict decryption to specific regions or cloud environments by data segment
Meaningful AppSec
Don’t just talk about how well the data is protected; really protect it
Ask yourself what would happen if a hacker got into your network or if there was a flaw in your application that let attackers query your database unconstrained. Now ask yourself what you can do about it. If you encrypt the data properly, then in most scenarios, the bad guys walk away with data they can’t decrypt.
This is your missing security layer.
Read moreKey orchestration
We handle the difficulties of key management for you
We support key leasing to keep down KMS costs and to make systems more resilient to network problems. We handle key rotation, efficient ways to re-key data, data segmentation, algorithm independence (crypto-agility), key-size agility, and we help you and your customers be cloud-independent. You can separate key storage from your provider (ie, keys in GCP, data in AWS), and there’s no lock-in.
Read moreKMS Integrations
Works with the most popular key management servers
Each segment of data can have a different master key. A segment of data can be a tenant in a B2B SaaS multi-tenant system. Or a segment can be the home country or region of a person whose PII is encrypted. A different key can be used for each segment, and each key can optionally live in a different KMS.
KMSes are each independent of each other and may be run by different companies, operated in different regions, backed by different HSMs, or even run on-prem.
This KMS flexibility allows software and services to offer customer-held encryption keys and to offer data sovereignty even if the encrypted data is globally replicated. These are the tools needed to meet data privacy and data sovereignty laws around the world.
Supported KMS integrations include:
- Thales Ciphertrust Manager
- Google Cloud Key Management Service
- AWS Key Management Service
- Microsoft Azure Key Vault
SaaS Shield gives you ultimate flexibility in key management, streamlining compliance with global laws and regulations.
Compare Approaches
Hold keys for your customers or let them hold their own
Customer managed keys (CMK) is in high demand by some customers of cloud applications and infrastructure. It gives the customer varying degrees of control over their data even as that data is stored with a third party.
Application-layer encryption
Unless the data is application-layer encrypted, the actual data protection added is dubious.
Best of breed
The best solutions combine customer-held encryption keys with application-layer encryption.
Customer-held keys
Some CMK patterns ask the customer to generate a key and then to upload it to the provider, but that degrades the amount of control that the customer receives. When they hold the keys, they can revoke access to their data and track how it’s used.
With SaaS Shield, you let your customer decide if they want to hold their own keys while giving them the most meaningful data protection you can, short of end-to-end encryption.
Configuration Broker
KMS connection information is end-to-end encrypted
The configuration broker provides wizards to help customers navigate their way through setting up a KMS and any other advanced security elements they want to configure. The information they enter is end-to-end encrypted so that IronCore Labs can never read the details of how to connect to their KMS.
Watch a short demo to learn more:
Learn more
We're here to help with questions
Though we aren’t a services company, we frequently assist customers with design, architecture, and advice on how to approach adding advanced encryption into already complex enterprise applications. We have deep experience with enterprise cloud systems, cryptography, and privacy. We’d love to hear from you either online through one of our community platforms or more directly.