Privacera Platform master publication

Table of Contents

Privacera Encryption core ideas and terminology

:

Privacera Encryption enhances the data security provided by Privacera Access Management and Privacera Discovery.

You can encrypt tables, columns, rows, fields, or other data in connected systems. Even if the data are accessible by policies created in Privacera Access Management, the encrypted data cannot be seen.

Encryption can be two-way: you can encrypt the data in place and decrypt it later. Or it can be one-way: with hashing or overwriting with string literals, you can replace the original data to make it invisible and unrecoverable.

You can also completely mask data with a one-way transform.

For a view of the following essential terms in action, see Graphical view of encryption processes

Privacera Encryption relies on schemes:

  • A scheme is a combination of formats, algorithms, and scopes.

    All schemes rely on the same set of Encryption formats, algorithms, and scopes.Encryption formats, algorithms, and scopes

    • An input data format defines the data type and structure to be encrypted, such as alphanumeric, credit card, email address, or social security number.

    • An encryption algorithm specifies the mathematics used to encrypt, such as AES, FPE, or SHA.

    • A scope defines the extent of the encryption on the data, such as the first four digits, an IP domain, or all data. Scoping ALL is recommended.

  • A scheme policy defines access control: users who have permission to access a scheme.

For example, you might rely on a Privacera-supplied encryption scheme to protect a PII field called "EMAIL". The scheme:

  • Uses EMAIL format.

  • Applies the SHA-256 algorithm for a one-way hash.

  • Is scoped with "masked domain" to hide the portion of the email to the right of the @ sign.

You can also define your own custom encryption, presentation, and masking schemes.