Movatterモバイル変換

Kafka applications that are handling sensitive data require more thanencryption to the "end". Where's the "end"? What you need to meet moderndata governance expectations are guarantees that the intended applicationsare exclusively the apps that can participate in a messagestream. Ockam moves trust to the application layer by building amutually authenticated and encrypted communication channel between all ofyour Kafka appsthrough your Kafka brokers.

Encryptionisn't just about adding privacy, it also gives you guaranteesof data integrity and trust in the authenticity of what your dataconsumers have received. Ockam's whole message encryption means yourdata consumers can have confidence that the data they receive has notbeen tampered with in-flight. Nor has an attacker been able to re-useaccess credentials to impersonate a producer.

For scenarios where you want to relax data privacy requirements we alsosupport field-level encryption so that you can have specific granular controls overwhich fields to encrypt, and which consumers are permitted to read them.

Sharing secret keys across many apps and services increases the likelihoodof secret keys leaking, in addition to eroding any guarantees that only intended apps canaccess sensitive data. Teams then layer in additional credential managementapproaches, network-level controls, and various other security approaches inan attempt to have a somewhat reliable assumption that only the intended app(s)were able to use the shared secret keys.

With Ockam, each Kafka app generates it's ownunique cryptographically provable identityand encryption keys, and uses those keys to establish trusted secure channels directlywith other authorized apps as required.

Whether it's reading a credential or secret value from a central source, ortransmitting a secret key to another app, every time a secret value is transmittedover the wire is another opportunity for it to leak. Ockam's approach to secretmanagement means each secret key never needs to leave the place where it wasgenerated. By removing the need to transmit secrets the risk of an attackerintercepting a secret in transit is also removed.

Everyone hopes they never have a data breach, but to minimize the impact incasethe worst happens Ockam apps automatically and regularly rotate their encryptionkeys. If a secret key is ever leaked the data at risk is reduced to the amount sentin the small window of that secret key was active. Don't put yourhistorical and future data at risk because rotating secret keys is difficult —it's built-in from the start.

The approach to mutual authentication of every app that Ockam provides resultsin strong data governance guarantees around the authenticity and integrity ofthe messages moving through your system.

Nobody loves running their own PKI. It's complicated, you still need to work outhow to securely handle your root certificate and keys, have policies aroundlifecycle management… a lot of extra infrastructure and orchestration.

With Ockam, each app generates keys and establishes trust directly there's noneed to run your own PKI systems.

The Kafka add-on for Ockam can work with any language. You've the flexibilityto write your producers and consumers in a mix of Java, Python, Go, Scala, youname it!

Just a single configuration change: update the broker host to point to the secure channelthat Ockam sets up onlocalhost for each app. It takes a couple of seconds,and won't require you to change any of the business logic or implementation in yourapps.

Running Kafka yourself? Maybe a managed offering inside you own VPC? Ockamworks wherever you need it.

Ockam's agnostic to network-level and cloud-specific features. Run a mix of appsacross the major cloud vendors to access specific value-add services withoutthe complication of configuring secure cross-cloud access to a specific KMS orsetting services like Private Link or VPC Peering.

Ockam's approach uses existing and well established open sourcetechnologies and frameworks. We build trust through transparency so yourCISO can be confident everything meets their requirements. Thecryptographic and messaging protocols arepublicly documented andthe implementations areopen source and available on GitHub.

We've published an independent third-party audit bythe security research firmTrail of Bits,we've passed the security reviews of our major partners, and we're SOC2compliant.

Thecurrent status of our latest audits and compliance controlsare also available.

All of these features are available and production ready, today. There's nowaiting to get accepted into a beta program, for a professional servicesteam to draft a statement of work, or to even speak to our sales team (thoughwe would still love to speak with you!). You cancreate an account for freeand haveOckam securing your Kafka environment within minutes.

Or, ask our team aquestion

We'll get back to you within one business day