Baffle today extended its ability to secure multitenant applications running on the Amazon Web Services (AWS) cloud to include the relational databases many of them are deployed on.

Designed primarily for organizations deploying software-as-a-service (SaaS) applications in the cloud, Baffle provides encryption key management capabilities that make it possible to isolate data in a multitenant cloud computing environment.

Min-Hank Ho, vice president of product for Baffle, said that capability is crucial because in the event of a breach, it means a cyberattacker doesn’t gain access to all the data stored in a multi-tenant environment. That’s becoming an increasingly critical concern in the wake of a series of high-profile breaches involving providers of cloud platforms such as Snowflake and SaaS applications such as the platform provided to the automotive industry by CDK Global.

Previously, Baffle made it possible to manage the key used to encrypt data stored in the AWS S3 cloud storage service by integrating with AWS server0sde encryption and is now extending that capability to include the AWS Relational Database Service (RDS) or Aurora databases.

Many providers of SaaS applications and cloud services have been hesitant to provide encryption keys that would, in effect, allow organizations that use these platforms to manage how their data is secured when stored on those platforms. Many of the providers of these applications set up a multitenant environment in the first place to reduce the total cost of data management.

However, recent breaches involving these platforms are making it clear that organizations need to able to safeguard the data stored on these platforms using encryption keys they control, said Ho.

It’s not clear to what degree organizations will be revisiting the way data is secured on these platforms but many organizations at the height of the COVID-19 pandemic routinely added cloud platforms to their IT environments, without much required for the security implications. Cybercriminals are now targeting those data-rich platforms in ways that can have a catastrophic impact on any downstream organization that has stored data in them.

In an ideal world, cybersecurity teams should review the cybersecurity protocols the providers of these platforms have in place to ensure their data is encrypted, said Ho. That may add additional cost to providing a cloud service in comparison to the financial impact a breach can have on thousands of organizations that use those services the cost is comparatively trivial, he noted. There are already many organizations in the financial services sector that will not use cloud services unless they are provided the keys required to manage their encrypted data, said Ho.

There may come a day when encrypting data is the standard default setting. However, in the meantime, cybersecurity teams should assume that the credentials provided to access these platforms have already been compromised. While multifactor authentication might mitigate that risk, the last line of defense to ensure data is encryption keys that are securely stored in places where only a very small number of trusted individuals are ever granted access.