Utimaco ESKM and the Data-Centric Security Problem

Data-centric security is a general concept of software and IT architecture where the data are at the center of the system and prevail over application and network. 

The data-centric approach claims that most problems linked to the complexity of IT architecture in large organizations are caused by the centric role of applications and networks. Using this approach, these problems can be solved by putting the data at the core.


For instance, there are several attempts to push forward the data-centric model, including the “Data-Centric Manifesto.”

In such a model, applications are considered as “ephemeral,” while data are considered the real assets of the company. Data must not rely on a specific application to be interpreted, and therefore, must be described by open formats. 

Access to data in such a model is under the responsibility of a middleman service or a layer which has sole authority to grant access or not. In other terms, data are always more or less in an abstract secure vault where they can be “visited” by applications.

In a pure data-centric architecture, data is at the start and at the top, then applications and network architectures are created based on the initial data architecture. 

Many large organizations are “data-driven,” meaning that they value data and create a culture of preserving and caring about the data they own. Still, they may not be data-centric.

In the banking industry, and especially with banks themselves, the data-centric model is becoming increasingly popular. Often, non-data-centric architecture involves many applications running on different places of a network, and accessing data in various locations, such as databases. 

An infrastructure equipped with databases (the vast majority of infrastructures) is not per se a data-centric architecture. A data-centric architecture is, therefore, a database-centric architecture where databases are at the center of the system, and are largely autonomous in terms of functionality, and do not rely on applications.

Besides, not all data can be stored in databases; for example, data-in-motion or data-in-use.

The main reason the data-centric architecture is becoming more popular in the banking industry is that it allows greater security over the data. Security has been a fundamental problem since data breach is a major security risk in that industry.

The Data-Centric Security Problem

The data-centric security model, as a data-centric model focused on security, emphasizes the security of the data over the security of applications and network servers. 

In that model, one must be able to understand what sort of data must be secured by the system. The data must be managed and protected. Additionally, data must also be constantly monitored to detect eventual problems.

Two technologies are fundamental here: encryption and data masking (or tokenization). 

Obviously, the data-centric security model relies on the efficient and permanent encryption of the data. These data may be data-at-rest, data-in-motion, or data-in-use.

Therefore, strong encryption is the only solution to solve the data-centric security problem. However, this involves several challenges, like for example, managing the encryption keys since the data may involve dozens of millions different records, and thousands or more data encryption keys. 

How Utimaco ESKM Can Help Solving the Data-Centric Security Problem

Utimaco ESKM (Enterprise Security Key Management) is a key management solution that can efficiently manage data-at-rest encryption. For instance, it is a proven solution for the encryption of cardholder data or hospital patients records. 

ESKM is compatible with non-stop volume encryption, which allows continuous replication of data from one site to another. ESKM is compatible with the following client encryption systems:

  • HPE NonStop
  • HPE Smart Array Secure Encryption (Proliant)
  • HPE StoreEver Tape Library
  • HPE StoreServe 3PAR
  • HPE StoreOnce
  • HPE XP
  • HPE SimpliVity/Hyper Converged
  • HPE Helion (OpenStack Barbican)
  • HPE Nimble
  • Micro Focus Connected MX Backup/Recovery
  • Voltage Email and Big Data Encryption System

Here is a list of the data that ESKM can help encrypt in a data-centric solution:

  • Payment cardholder data (CHD)
  • Electronic health re­cords (EHR)
  • Personally identifiable information (PII)
  • Intellectual property (IP)
  • Confidential business records
  • Service provider hosted data
  • Defense and classified information

An Example of Integration of ESKM in a Data-Centric Architecture

The following real use case example demonstrates how ESKM can enforce the creation of a data-centric architecture.

In this example, a major healthcare IT provider needed to protect sensitive patient information, including EHR (Electronic Health Record), PHI (Protected Health Information), and PII (Personally Identifiable Information). Compliance with the HIPAA (Health Insurance Portability and Accountability Act) had to be respected. 


Data were mirrored between multiple datacenters with around 10,000 servers and more than 250,000 disks per datacenter. In order to realize a data-centric secure architecture, the data had to be ciphered on each server, and keys had to be separated from data. The solution was to integrate ESKM servers in the system.


As a result, remote key management separated keys from the sensitive data, and allowed continuous encryption of the data in a scalable way (for example, ESKM’s thousands of server clients).


Utimaco ESKM can help construct a full data-centric architecture by allowing encryption key management in a smart and scalable way. 

Read more about the Utimaco Atalla AT1000 Hardware Security Module (HSM), a payments security module for protecting sensitive data and associated keys. Or access more articles on our blog.

About the author

Martin Rupp is a cryptographer, mathematician and cyber-scientist. He has been developing and implementing cybersecurity solutions for banks and security relevant organizations for 20 years. Martin currently researches the application of Machine Learning and Blockchain in Cybersecurity.

To find more press releases related with below topics, click on one of the keywords:

¿En qué podemos ayudarle?

Hable con uno de nuestros especialistas y descubra cómo Utimaco puede ayudarle hoy mismo.
Ha seleccionado dos tipos diferentes de Download, por lo que necesita presentar formularios diferentes que puede seleccionar a través de las dos pestañas.

Su(s) solicitud(es) de Download:

    Al enviar el siguiente formulario, recibirá enlaces a las descargas seleccionadas.

    Su(s) solicitud(es) de Download:

      Para este tipo de documentos, es necesario verificar su dirección de correo electrónico. Recibirá los enlaces a las Download seleccionadas por correo electrónico después de enviar el siguiente formulario.

      Descargas de Utimaco

      Visite nuestra sección de descargas y seleccione recursos como folletos, fichas técnicas, libros blancos y mucho más. Puede ver y guardar casi todos ellos directamente (pulsando el botón de descarga).

      Para algunos documentos, es necesario verificar su dirección de correo electrónico. El botón contiene un icono de correo electrónico.

      Download via e-mail

      Al hacer clic en dicho botón se abre un formulario en línea que le rogamos rellene y envíe. Puede recopilar varias descargas de este tipo y recibir los enlaces por correo electrónico simplemente enviando un formulario para todas ellas. Su colección actual está vacía.