Integration of AWS Redshift with CRDP
This document describes how to configure and integrate CipherTrust Manager with AWS Redshift.
Amazon Redshift is a data warehouse product that forms part of the larger cloud-computing platform Amazon Web Services. It is built on top of technology from the massive parallel processing (MPP) data warehouse company ParAccel to handle large-scale data sets and database migrations. Redshift differs from Amazon's other hosted database offering, Amazon RDS, in its ability to handle analytic workloads on big data sets stored by a column-oriented DBMS principle. Redshift allows up to 16 petabytes of data on a cluster compared to Amazon RDS Aurora's maximum size of 128 tebibytes.
Thales provides a couple of different methods to protect sensitive data in AWS Redshift:
Bring Your Own Encryption (BYOE)
Data Ingest - with Thales Batch Data Transformation (BDT).
Data Access - external remote user-defined functions for column-level encryption and decryption using Ciphertrust REST Data Protection (CRDP) Protect/Reveal APIs.
Bring/Hold Your Own Key (BYOK) (HYOK)
- AWS Redshift Customer Managed Keys - with Thales CM CCKM BYOK and HYOK.
Note
The above methods are NOT mutually exclusive. All methods can be used to build a strong defense in depth strategy to protect sensitive data in the cloud. The focus of this integration will be on Data Access protecting sensitive data in AWS Redshift columns by using CRDP to create User Defined Functions (UDF) for encryption and decryption of sensitive data.
Architecture
The examples provided in this document use a capability AWS Redshift called “External Function”. A Redshift external function lets you incorporate functionality with software outside of Redshift by providing a direct integration with AWS Lambda Functions. A Redshift external function allows you to implement your function in other languages other than SQL.
AWS Redshift Integration with Thales CRDP (AWS Lambda Functions)
Supported Product Versions
CipherTrust Manager: CipherTrust Manager 2.14 and higher
CRDP: CRDP 1.0 and higher
AWS Redshift
This integration is validated using AWS Lambda Functions and Java 11 along with CipherTrust Manager 2.14.
Prerequisites
Steps performed for this integration were provided by these AWS links: https://docs.aws.amazon.com/redshift/latest/dg/udf-creating-a-lambda-sql-udf.html and https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html.
Ensure that CRDP is installed and configured. Refer to Quick Start Guide.
Ensure that the CipherTrust Manager is installed and configured. Refer to the CipherTrust Manager documentation for details.
AWS Lambda functions communicates with the CRDP Container using REST APIs.
