Integration of AWS Redshift with CADP
This document describes how to configure and integrate CipherTrust Manager with AWS Redshift.
Amazon Redshift is a data warehouse product that forms part of the larger cloud-computing platform Amazon Web Services. It is built on top of technology from the massive parallel processing (MPP) data warehouse company ParAccel to handle large-scale data sets and database migrations. Redshift differs from Amazon's other hosted database offering, Amazon RDS, in its ability to handle analytic workloads on big data sets stored by a column-oriented DBMS principle. Redshift allows up to 16 petabytes of data on a cluster compared to Amazon RDS Aurora's maximum size of 128 tebibytes.
Thales provides a couple of different methods to protect sensitive data in AWS Redshift:
Bring Your Own Encryption (BYOE)
Data Ingest - with Thales Batch Data Transformation (BDT).
Data Access - external remote user-defined functions for column-level encrypt and decryption using Thales CADP and tokenization using Thales CT-VL.
Bring/Hold Your Own Key (BYOK) (HYOK)
- AWS Redshift Customer Managed Keys - with Thales CM CCKM BYOK and HYOK.
Note
The above methods are NOT mutually exclusive. All methods can be used to build a strong defense in depth strategy to protect sensitive data in the cloud. The focus of this integration will be on Data Access protecting sensitive data in AWS Redshift columns by using CADP to create User Defined Functions (UDF) for the encryption and decryption of sensitive data.
Architecture
The examples provided in this document use a capability AWS Redshift called “External Function”. A Redshift external function lets you incorporate functionality with software outside of Redshift by providing direct integration with AWS Lambda Functions. A Redshift external function allows you to implement your function in other languages other than SQL.
AWS Redshift Integration
Supported Product Versions
CipherTrust Manager: CipherTrust Manager 2.11 and higher
Note
If usersets are enabled then CipherTrust Manager should be at 2.14 or above.
CADP: CADP Java 8.13 and higher
Note
CADP 8.15.0.001 was tested. If a higher version of CADP is used you will encounter a class not found error with AWS Lambda Functions.
AWS Redshift: AWS Redshift
This integration is validated using 2nd generation Google Cloud Functions and Java 11 along with CM 2.14 and CADP 8.15.0.001.
Prerequisites
Steps performed for this integration were provided by these AWS links: https://docs.aws.amazon.com/redshift/latest/dg/udf-creating-a-lambda-sql-udf.html and https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html.
Ensure that CADP for Java is installed and configured. Refer to Deploy CADP for Java using the installer.
Ensure that the CipherTrust Manager is installed and configured. Refer to the CipherTrust Manager documentation for details.
AWS Lambda functions communicate with the CipherTrust Manager using the Network Attached Encryption (NAE) Interface. Ensure that the NAE interface is configured. Refer to the CipherTrust Manager documentation for details.
