Application Data Protection
Application Data Protection, a component of the CipherTrust Manager platform, provides centralized configuration and policy management to streamline data security for your applications. It offers a unified display (a "single pane of glass") for administrators to efficiently manage and monitor data protection across multiple applications, leading to more efficient management. Application Data Protection seamlessly integrates with and utilizes core CipherTrust Manager functionalities—such as key management, user roles and group administration, domain management, clustering, and certificate handling.
Central Management: This concept allows administrators to define applications to be protected, generate registration tokens, register clients, and centrally manage configurations and policies. It promotes consistent policy enforcement and simplifies oversight across multiple application instances.
Single Pane of Glass: This concept refers to a consolidated dashboard view that displays the current status of all protected applications or databases. It highlights the health of each application—categorized as healthy, warning, or revoked—enabling quick issue identification and resolution.
How Application Data Protection Works
The following diagram illustrates the basic flow of the Application Data Protection process:
The Application Data Protection Administrator defines the application and its associated data protection requirements in CipherTrust Manager.
A registration token is generated for the application.
The token is provided to the DevOps team, who includes it in the deployment configuration (for example, orchestrator or CI/CD pipeline).
During deployment, the client registers with CipherTrust Manager using the token.
The client fetches and applies the centralized configurations and policies assigned to the application.
Any future updates to the configuration are automatically fetched by the client, triggered via the heartbeat mechanism.
Refer to your client documentation for end-to-point registration and deployment flow.
Core Concepts
Central Management
Central management is a foundational concept of Application Data Protection that enables administrators to manage encryption configurations and policies from a single, centralized location—within the Application Data Protection tile on CipherTrust Manager. This centralized approach reduces operational complexity, ensures consistency, and minimizes manual intervention across environments with multiple protected applications or services.
In this model, configurations and policies for all protected applications and databases are created and maintained by the Application Data Protection Administrator. These settings are automatically distributed to associated clients when they register or when they send a heartbeat signal indicating that they are online.
To use centralized management, each client (for example, CipherTrust RESTful Data Protection (CRDP) or Data Protection Gateway (DPG)) must register with CipherTrust Manager.
Why Central Management
Consider a scenario where 10 application instances are protected by CRDP. Previously, if the administrator needed to update the symmetric cache expiry interval, they would have had to manually edit the configuration file on each node - a time-consuming and error-prone process.
With central management, this task becomes seamless. The administrator makes the update once in the centralized configuration, and upon saving, all registered clients fetch the change automatically through the heartbeat mechanism. This ensures uniform policy enforcement and saves considerable operational effort.
This centralized approach is visualized and monitored through a unified dashboard view—the Single Pane of Glass—which provides administrators with real-time visibility into the operational status of all centrally managed applications and clients.
Single Pane of Glass
The single pane of glass concept in Application Data Protection refers to the unified and centralized dashboard view within Application Data Protection on CipherTrust Manager. This view consolidates information about all defined applications and their associated clients, giving administrators clear, real-time visibility into the operational status of the entire protected application environment.
This consolidated dashboard allows the Application Data Protection administrator to monitor and manage all application protection activities from a single location—without having to switch between multiple tools or systems. This centralized visibility is essential for effective central management, as it enables administrators to quickly assess the health and status of all centrally configured applications and policies.
To learn more, see Single Pane of Glass.
Applications
An application in Application Data Protection represents a logical entity or software component (such as a service or microservice) that requires protection and policy management. Applications are centrally defined to enable consistent policy enforcement and streamlined management across multiple client instances.
It acts as a container for a group of related clients.
Defined centrally in the CipherTrust Manager.
Used to associate clients with shared configurations and policies.
Helps administrators apply consistent protection and access policies across multiple instances of the client.
Clients
A client is an instance (for example, a specific microservice running on a VM or container) that interacts with CipherTrust Manager to:
Register using a registration token provided during application setup.
Receive centrally managed configuration and policy updates.
Report its status (via heartbeats).
Enforce data protection locally based on centrally defined policies.
Clients register to receive centrally managed configurations, ensuring that all instances operate under consistent security policies without requiring individual configuration management.
Example: You may have an “Order Processing App” as your application, and three microservices (running in dev, staging, and prod) as clients under it.
Key Features
Central Configurations
Central configurations in Application Data Protection refer to the set of policies and parameters managed centrally on CipherTrust Manager and distributed to registered clients. These configurations define how applications handle cryptographic operations, access control, character sets, and masking.
Rather than maintaining local configuration files for each instance, Application Data Protection enables administrators to define these settings once and apply them consistently across all applications—supporting operational efficiency and policy consistency.
Central configurations are a core part of the Central Management model in Application Data Protection and are fetched from clients using the heartbeat mechanism.
Configuration Updates
Configuration updates refer to the settings and policy changes made on CipherTrust Manager that are pulled by registered clients based on the configured heartbeat.
These include critical parameters such as cryptographic algorithms, key configurations, access policies, and audit and log settings.
Updates are automatically fetched by all registered clients through the heartbeat mechanism, ensuring their rapid and consistent application.
This process directly supports crypto agility, allowing for swift modifications to cryptographic strategies in response to evolving security landscapes or new compliance requirements.
Furthermore, it ensures consistency and central control across all clients.
Heartbeat
The heartbeat is a periodic communication signal sent by a registered client to CipherTrust Manager.
Confirms the client is active and healthy.
Allows CipherTrust Manager to track client status (Healthy, Warning, Error).
Lack of heartbeat (due to connectivity or client failure) will reflect as a warning on Application Data Protection.
Reports versions of resources such as policy and config to enable clients and detect changes.
Refer to Heartbeat Configuration for details on how the heartbeat mechanism works to keep clients in sync with CipherTrust Manager and how to configure it.
Heartbeat behavior may vary by client. Refer to the heartbeat section of supported clients documentation.
Protection Policies
Protection policy defines a set of rules that govern the cryptographic operations to be performed on the user data. A protection policy includes entities such as algorithm, key, IV, access policy, and character set.
Protection policies are centrally created and distributed through Application Data Protection, eliminating the need to configure cryptographic rules individually on each client. This centralized approach ensures consistent data protection standards across all client instances while enabling rapid policy updates when security requirements change.
Refer to Managing Protection Policies for details on protection policies and how to create and manage them for encryption, tokenization, or masking use cases.
Policy Versioning
Versioning helps track changes in the policy configuration and ensures clients are running with the updated configuration.
Every time a configuration or policy is updated, the application version is incremented.
If a client is running with the outdated policy, it fetches the latest configuration as part of their heartbeat.
Refer to Protection Policy Versioning for details.
Supported Clients
Application Data Protection supports the following clients:
What's Next
Now that you've been introduced to the core concepts of Application Data Protection—including central management and the single pane of glass—it's time to explore the details of configuring and managing your Application Data Protection environment on CipherTrust Manager.
The following sections provide step-by-step guidance for each key area:
Interfaces: Learn about the two main ways to interact with CipherTrust Manager—the REST API and the web-based Graphical User Interface (GUI).
Managing DPG Configurations: Describes how to centrally manage DPG configurations using Application Data Protection.
Managing CRDP Configurations: Describes how to centrally manage CRDP configurations using Application Data Protection.
Managing CDP for Teradata VantageCloud Lake Configurations: Describes how to centrally manage CDP for Teradata VantageCloud Lake configurations using Application Data Protection.
Managing CADP for Java Configurations: Describes how to centrally manage CADP for Java configurations using Application Data Protection.
Managing BDT Configurations: Describes how to centrally manage BDT configurations using Application Data Protection.
Managing User Sets: Describes how to group users into sets and apply those groups within access policies.
Managing Access Policies: Covers how to define which users or roles can access protected data and under what conditions.
Managing Protection Policies: Learn what protection policies are and how to create and manage them for encryption, tokenization, or masking use cases.
Managing Character Sets: Instructions for defining custom character sets used in tokenization or masking operations.
Managing Masking Formats: Explains the use of predefined and custom masking formats for data masking operations.
Heartbeat Configuration: Details how the heartbeat mechanism works to keep clients in sync with CipherTrust Manager and how to configure it.
Single Pane of Glass: Learn how to monitor and manage all applications and their associated cients from a centralized view.
Tasks: Describes the tasks an Application Data Protection administrator can perform.
