Baffle enables computation on encrypted Amazon RDS and Aurora data

Baffle is providing enterprise-grade data security for Amazon’s RDS and Aurora databases, preventing malware actors from accessing any raw data.

Baffle’s technology encrypts data in the public cloud so that databases store encrypted data with customers able to bring their own keys. It’s based on secure multiparty computation, which allows apps to process encrypted data without needing to decrypt it. It supports masking, tokenization, and encryption with role-based access control at any level in the logical database. The data can be searched, sorted, and analyzed in encrypted form, enabling support of data sensitivity compliance needs such as GDPR, HIPAA, and PCI DSS v4.

Ameesh Divatia, co-founder and CEO of Baffle, said: “This breakthrough technology enables SQL queries on data that is always encrypted in a PostgreSQL database at rest and in use, allowing data owners to implement the Shared Responsibility Model with their cloud service providers and control their data even on infrastructure that they don’t manage.”

Baffle founders
Baffle founders

According to the IEEE, secure multiparty computation is based on secret sharing, “a cryptography algorithm where a private key is divided into shares. These shares are distributed to different parties so each party possesses only part of the secret, ensuring no one has the entire secret. The secret is obtainable only through recombination of shares. However, computations can still take place on the shares. More importantly, the output of those computations is still correct, and the data is still a secret.”

Baffle’s software goes beyond temporary or Transient Data Encryption (TDE) by protecting data in PostgreSQL databases at the application tier, enabling full compliance with PCI DSS v4. 

By working with AWS’s Trusted Language Extensions for PostgreSQL, it’s possible to run SQL queries on encrypted data stored within Amazon RDS and Aurora, making them, Baffle says, the only Postgres Database As A Service (DBaaS) offerings with this functionality.

Amazon RDS and Aurora with Baffle feature:

  • Field, row, and column-level anonymization of sensitive data with no application code changes 
  • Prevention of database administrators and “superusers,” including those from the cloud service provider, from accessing private data
  • Access/authorization controls to regulated sensitive data to meet compliance requirements (including AWS cloud and database administrators)
  • Support for SQL queries on sensitive data that is in the database memory or storage in encrypted or tokenized form – a claimed industry first
  • Support for commercial-off-the-shelf (COTS) applications, such as Tableau or PowerBI, to query encrypted data from Amazon RDS or Amazon Aurora PostgreSQL databases

Baffle was founded in 2015 by CEO Ameesh Divatia and CTO Priyadarshan Kolte. Former Emulex exec Divatia was president and CEO of photonics supplier Lightwire, which was was acquired by Cisco in 2012. Ex-PMC-Sierra software guy Kolte was a Principal Scientist at Texas Multicore Technologies before joining Divatia to start Baffle. 

They have raised $36.5 million across seed, A, and B-rounds of VC funding, the most recent raising $20 million in August 2021. Investors include Celesta Venture Capital, National Grid Partners, Lytical Ventures, Nepenthe Capital, True Ventures, Greenspring Associates, Clearvision Ventures, Engineering Capital, Triphammer Venture, ServiceNow Ventures, Thomvest Ventures, and Industry Ventures.

Baffle has offices in Santa Clara and Kundalahalli, Bengaluru.