Core Ideas and Terminology
Privacera Encryption enhances the data security provided by Privacera Access Manager and Privacera Discovery.
You can encrypt tables, columns, rows, fields, or other data in connected systems. Even if the data are accessible by policies created in Privacera Access Manager, the encrypted data cannot be seen.
Encryption can be two-way: you can encrypt the data in place and decrypt it later. Or it can be one-way: with hashing or overwriting with string literals, you can replace the original data to make it invisible and unrecoverable.
Essential Encryption Terminology
For a conceptual view of these terms in action, see Graphical View of Processes.
Privacera Encryption relies on schemes:
A scheme is a combination of formats, algorithms, and scopes. There are two types of schemes:
- Encryption schemes encrypt or decrypt the data.
- Optional presentation schemes obfuscate decrypted data to a form suitable for displaying to authorized users.
Both encryption schemes and presentation schemes rely on the same set of formats, algorithms, and scopes.
An input data format defines the data type and structure to be encrypted, such as alphanumeric, credit card, email address, or social security number.
A scope defines the extent of the encryption on the data, such as the first four digits, an IP domain, or all data. Scoping ALL is recommended.
A scheme policy defines access control: users who have permission to access a scheme.
For example, you might rely on a Privacera-supplied encryption scheme to protect a PII field called "EMAIL". The scheme:
- Applies the SHA-256 algorithm for a one-way hash.
- Is scoped with "masked domain" to hide portion of the email to the right of the @ sign.
You can also define your own custom encryption and presentation schemes.
For maximum security, Privacera Encryption relies on different types of encryption keys, including a master key and the keys derived from it.
For a description of keys, see Hierarchy and Types of Keys.
By default, keys are stored in Privacera's Ranger Key Management System (KMS), except for the master key, which is stored externally from the KMS or on a hardware storage module.
Keys can also be stored in the Azure Key Vault.