PII Data Security in a Hybrid and Multicloud World

  1. Quickly capture and classify data at scale for its sensitivity.
  2. Encrypt or de-identify the sensitive data collected before it hits external networks to evade all threat vectors.
  3. Apply a zero-trust approach and use least-privilege methods to selectively identify the data based on strict Role-Based Access Control (RBAC).

Common challenges with Identification and De-identification of PII data

All over the world, security practitioners agree equivocally that encrypting the PII data is the best way to protect it, however, that’s the easy part. The challenging part is capturing and encrypting the PII data at scale specially when the source of data could be transient applications such as containers or non-static serverless functions such as AWS Lambda, Azure functions and the likes. Additionally, here are some of the real world needs and challenges:

  1. Applications generating/consuming PII data may not allow code changes. Think SaaS/PaaS.
  2. Data may go through multiple hops and may need to be quickly identified/de-identified at each hop depending on the business jurisdictions.
  3. When large amounts of data (TBs) need to be migrated from on-premises to cloud, de-identification will be required at a very high rate (~1M Ops/s)
  4. Not all sensitive data are of known Data types such as SSN, DOB, email address etc., which can be De-identified/Tokenized easily with the incumbent solutions. Some de-identification requirements can be complex such as De-identified date needs to be within certain bounds, house number in a street address cannot be more than certain number or it might break the business logic of real estate application that checks for the validity of house numbers in a certain neighborhood.

Key traits of an effective and practical solution

A complete solution ideally should address not only the current business challenges as mentioned above but should also be easily extensible and flexible enough to address future and more complicated data protection needs.

  1. Cloud native and multi-cloud deployment
  2. Hybrid Deployment
  3. Hardware root of trust
  4. Global Software as a Service (SaaS) offering
  5. Versatility and Extensibility

Solution that works and objectively solves all real-world use-cases

Fortanix Data Security Manager (DSM) brings a modern, scalable, lightweight, flexible and cloud friendly solution to help customers protect their PII data right at the source and/or in-transit and/or at-rest. Before we dive into each of the use-cases, lets recap what DSM offers in summary:

  1. Flexible consumption options
  2. a. Available in Cloud Marketplaces with granular core-based pricing to help you get the best ROI.
  3. b. Supports multicloud deployment where in you can run nodes of a single cluster across different clouds.
  4. c. Supports hybrid cloud deployment where in you can run few nodes on-premises and few nodes in Cloud of your choice as part of same cluster.
  5. d. Offered as a global SaaS service with FIPS 140–2 Level 3 compliance.
  6. One stop shop for all data protection needs
  7. a. Offers full suite of data protection services such as Tokenization, Dynamic Data Masking, Key Management, Transparent Data Encryption, Application Encryption, Secrets Management, Key management for legacy 3rd party HSMs and Multi-cloud key management.
  8. Cluster to cluster peering at group level
  9. a. DSM offers a unique architectural tenet where in you can selectively use keys from another DSM cluster or from another 3rd party HSM while using the same control plane belonging to your primary DSM cluster. This specifically allows you to use same control plane / URL for all your applications. This approach also offers a unique advantage in cloud deployments where your primary cluster can be deployed in cloud, however, some of the highly sensitive cloud applications can perform crypto inside off-the-Cloud Fortanix HSMs selectively to meet key residency or localization requirements.

Fortanix’s approach to data de-identification and identification

DSM uses NIST approved FF1 method to do Format Preserving Encryption to de-identify/Tokenize and identify/de-tokenize PII data. The prime advantage and differentiation of Fortanix’s solution rests in how the solution is able to fit itself within the customer’s complex architecture and can seamlessly perform data identification/de-identification:

  1. It can be deployed and consumed at the application host so, data gets de-identified right at the source. This is achieved by caching the key in memory at the application host thereby achieving very high rate of tokenization and detokenization operations/second.
  2. It can also sit as a proxy fronting the applications and can transparently de-identify data without needing any code change in client applications. Additionally, it can automatically identify data without a need to pass any Key identifier and can integrate with user defined RBAC.
  3. For highly sensitive data, if business mandates that data identification/de-identification must happen inside hardware appliances, then DSM offers the 3rd approach where data can be streamed to the centrally deployed DSM cluster for identification/de-identification.

Data Security Accelerator (DSA)

Fortanix Transparent Encryption Proxy (TEP)

De-identifying and Identifying data inside DSM Cluster

Key Take Away

  • Fortanix can effectively protect any type of your PII data at scale at the source, in-transit or at-rest.
  • Whether you need an auto-scalable cloud native solution, globally deployed SaaS solution or a self-managed air-gapped HSM grade on-premises solution, we have you covered.
  • Fortanix is Data-first Multi-cloud security company and can deterministically help you protect every bit of your PII data across Public/Private Clouds and SaaS services.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Fortanix™ has created the world’s first runtime encryption solution. Enterprises get provable, portable, and preventive security for their applications!