SaaS applications running on AWS can now provide tenant-level data protection as data security provider Baffle announces new integration with AWS Server Side Encryption (SSE).
AWS’ SSE feature, aimed at protecting data at rest by encrypting it before saving it to disks, will now support multi-tenant encryption for SaaS data in the cloud.
“This use case applies to B2B SaaS companies but also to any central organization within a company that needs to keep different organizations’ data separate,” said Min-Hank Ho, vice president of Products at Baffle. “For example, a central IT function that needs to keep European data separate from Asia-Pac, or even different countries within a region.”
The offering is available now to AWS customers opting for the Baffle Data Protection solution.
Existing applications lack multi-tenant encryption
Existing SaaS providers using AWS aren’t able to provide tenant-level encryption with its relational database services (RDS) or Aurora database services, according to Baffle.
Additionally, while Simple Storage Service (S3) object stores — AWS service for storing objects — potentially provide an encryption capability through AWS Server-side Encryption, the key management is still left to the SaaS provider.
“Most often, SaaS providers use separate database instances or logical databases to isolate their customers’ data,” Ho added. “Then they have to have separate S3 buckets for each customer. Managing all this complexity is often the reason SaaS providers don’t provide multi-tenant isolation.”
Baffle aims to solve this complexity by handing AWS customers a single key that controls all their data in AWS for the SaaS provider.
Streamlined encryption and key management
With the new offering, Baffle is extending support for encryption of multi-tenant data in AWS’ RDS and Aurora and integrating its homegrown key management capabilities with AWS SSE.
“Most SaaS providers don’t provide multi-tenant data protection and choose to rely on data at rest encryption for all of their customers’ data,” Ho explained. “They have avoided this highly effective security control because of the overhead of implementing the code changes to encrypt data for each of their customers separately and the complexity of managing keys for each customer. Despite their names, AWS and other CSPs only provide key storage and leave the management and lifecycle of the encryption keys to the application.”
Baffle essentially offers a drop-in solution for multi-tenant encryption for SaaS providers that handles customer data in databases, and now, S3, without any code changes to their applications, Ho added. The new offering, Baffle claims, will reduce the cost of implementing and managing multi-tenant security, decrease data security risks, and increase SaaS providers’ customization and scaling abilities.
More by Shweta Sharma: