Request Demo Contact Login
Why eperi®
Use Cases
Info Hub
Partners
Inside eperi®
Request Demo
eperi® sEcure
Secure data in all cloud and web applications
eperi Logo
By Use Cases
AnyApp
Protect your data in web applications with comprehensive encryption and meet compliance requirements.
Microsoft 365
Secure your sensitive data in Microsoft 365 products against unauthorized access and ensure data protection and compliance.
SDK
Use the eperi® sEcure SDK to protect data in almost any cloud platform and open up new business potential.
By Industries
Finance
Ensure maximum data security and comply with DORA regulations with eperi® sEcure for the financial sector.
Healthcare
Protect patient data in the cloud and meet legal requirements for IT security in the healthcare sector with eperi® sEcure.
Public Sector
Secure sensitive data in public administration and meet the requirements of the NIS-2 directive with eperi® sEcure.
/ Mehr erfahren
eperi Logo
Newsroom
Stay up to date with our latest blog posts, press releases, press reports and event announcements.
References
Discover selected references for various use cases and industries.
eperi Logo
Our Partners
Benefit from the eperi® Partner Network and receive comprehensive support for secure and legally compliant cloud projects.
Become a Partner
Increase your customer loyalty and differentiate yourself with our patented data protection solutions for SaaS and cloud applications.
eperi Logo
What eperi® does
What makes eperi® unique
Memberships
Find out more about our involvement in various associations and organizations
Careers
eperi® - come for the job, stay for the team
eperi Logo

eperi Gateway: How effective cloud data protection works

There are numerous reasons for reliable, tried-and-tested cloud encryption: Be it to ensure data sovereignty or to comply with regulatory requirements

This can be done in very different ways. This article uses a cloud data protection solution, the eperi Gateway, to explain how data is effectively protected in the cloud and what to look out for when selecting suitable data protection solutions.

What matters when choosing a comprehensive cloud data protection platform

The most effective method of protecting sensitive data in the cloud is encryption and pseudonymization. There are various solutions and approaches for this: Whether Cloud Access Security Broker (CASB) or Bring Your Own Key (BYOK), they all work reliably and protect the customer's data as well as possible.

CASB services and applications are located between the user and the cloud platform and control, monitor and log the entire data stream. In the case of BYOK, the cloud provider encrypts the data using cryptographic keys provided by its cloud customers.

Three important aspects should be considered when evaluating these approaches: Data control, usability and data protection. Data control says something about who has access to the keys required for encryption and therefore also has access to the encrypted data. Usability refers to the extent to which the cloud applications and their functions remain fully usable with encrypted data. And when it comes to data protection, the question should be asked as to whether compromises in data security and protection must be accepted in order to continue to guarantee the usability of the cloud application or individual functions.

Now, as the person responsible for data protection, you have to think carefully about which of these three features are of particular importance. Unfortunately, it is still the case that the existing approaches and solutions on the market do not cover all requirements equally well.

Although CASB services generally offer a high data protection factor and full data control, their usability is usually not optimal, as the service has to be laboriously adapted to the various cloud applications and special functions or, in the worst case, completely prevents the use of cloud services if sensitive data is involved.

In contrast, BYOK approaches of the respective cloud providers play the “usability” and “data protection” cards very skillfully, but at the expense of data control. This is because the required cryptographic keys are provided by the user, but the cloud provider also has access to the keys. And this may have a negative impact on the issue of data control, which is then no longer the exclusive responsibility of the company as the cloud user.

Now comes the point where you might ask yourself: Is there a cloud encryption solution that performs equally well in all three disciplines? You guessed it, there is, in the form of the eperi Cloud Data Protection (CDP) solution. With this solution, you can be sure that you won't have to compromise on any of the three aspects.

This means that none of the cloud providers and data processors gain access to your keys (= optimal data control), the cloud application is not significantly impaired by the encryption (= high usability), and there are also no compromises when it comes to data protection, because the eperi Gateway on which the eperi Cloud Data Protection platform is based uses an engine co-developed by the German Federal Office for Information Security (BSI), which works with standard encryption methods and algorithms and is publicly accessible, as it is freely available as open source software.

What the eperi Gateway does

The eperi Gateway performs numerous tasks as part of cloud data encryption:

  • It encrypts and pseudonymizes data before it is transferred to the cloud application,
  • takes over the complete cryptographic key management
  • and thus ensures consistent application of data protection guidelines on all devices and platforms.

The eperi Gateway doesn't care whether it is connecting internal or external cloud applications, databases or file storage systems. For this purpose, it supports a sophisticated template concept, which we will discuss in a moment.

The eperi gateway ensures comprehensive data protection in two ways, namely through its end-to-end encryption and pseudonymization of data before it is transferred to the target or cloud application and through internal key management. This means that only the customer has access to the private keys. This represents a significant advantage over other solutions, keyword: data control.

In addition, thanks to its transparent proxy architecture, the eperi Gateway can be integrated into any IT environment without any major adjustments, making it extremely easy to use and meaning that neither the underlying systems nor existing workflows need to be adapted. The encryption techniques and methods offered, coupled with the template concept, also ensure flexible use of encryption, particularly with regard to sensitive data that is stored and processed in cloud applications.

How the eperi Gateway works
The key feature of the eperi Gateway is its “intermediary role”. It is located outside the cloud environment whose data is to be encrypted, decoupling cloud applications from the cloud data. It also acts as a reverse, forward and API proxy, depending on the application and access scenario. At the same time, the eperi Gateway is the “guardian” of all keys required for pseudonymizing and encrypting plain text data. This allows both external and internal users to access cloud data transparently and securely at all times. In this context, transparent means that encryption in the background has no noticeable impact on users and that no installations are required on user or target systems.

How the eperi Gateway acts as a proxy

Generally speaking, a proxy server is an intermediary that handles network communication between two endpoints and is responsible for a wide range of different tasks. In the case of the eperi gateway, for example, this includes encrypting and decrypting the data that is exchanged between the endpoints.

The eperi Gateway essentially acts as a forward and reverse proxy. In these cases, the user first contacts the eperi Gateway from their network, transfers their data to it, which it encrypts and then transfers to the associated cloud application. This all happens in the background, the user is unaware of it.

In the opposite direction, the eperi Gateway acts as a proxy to receive the data stream coming back from a cloud application and decrypts the encrypted data before it is forwarded to the clients in plain text.

If the eperi gateway works as a reverse proxy, the customers provide so-called vanity URLs for accessing the application. Instead of https://www.cloud-anwendung.com, for example, the user accesses http://cloud-anwendung.firma.com. With the forward proxy configuration, the eperi Gateway is entered in the browser or application settings as a proxy server and is called up in the background as soon as the user wants to access the target system. Of course, the eperi Gateway can also be integrated into the existing proxy chain if there are already proxies in the company.

In addition, the eperi Gateway can be integrated into existing application architectures via various API interfaces. This is necessary, for example, if encryption and decryption is only used as an upstream or downstream process or if proprietary protocols need to be supported.

Excursus: How the eperi Gateway template concept works

Thanks to the template concept used, the eperi Gateway can be used for almost any cloud and application environment, i.e. databases, applications and file systems. Ready-made templates are available for Microsoft Office 365, Salesforce, Oracle and MS SQL databases, for example, and can be used immediately out-of-the-box or with just a few adjustments.

The templates define which fields in the target application are encrypted and how exactly. The encryption method to be used can be selected for each defined field. For example, it may be that a target application expects type-compliant values for a certain field, such as for the inclusion of an e-mail address, or that a date lies within a certain value range, for example the date of birth or the zip code. Ordinary encryption of such fields would then lead to an error, which is why tokenization must be selected as the encryption method for such fields, in which the scheme according to which type-compliant replacement values are generated is clearly defined.

The charming thing about the template approach is that these are special XML files that can also contain executable Java code, allowing you to add your own functions to the eperi Gateway. This also applies to workflow definitions. Based on BPEL (Business Process Execution Language), the templates define exactly how and where data can be stored and processed.

In addition to the templates already available and tailored to the respective applications, eperi customers and partners can also create their own templates. This is done with the help of the Application Analyzer, which means that the eperi Gateway automatically recognizes the data to be encrypted in the data stream and handles it according to predefined pseudonymization methods.

Conclusion

Choosing the right cloud data protection platform is becoming increasingly important. It is therefore certainly a good idea to know how the underlying technologies work. After all, a company can only choose the right solution if it understands how and where data is encrypted. And this is precisely why you can't go wrong with the eperi Gateway, as it optimally balances all aspects of data control, usability and data protection. And it also offers other interesting approaches and benefits.