CipherTrust Data Protection Gateway

For many new and evolving applications, the DevOps team often is expected to protect data for web services-based applications while not having access to the application and database or data store. In addition, deployment architectures, including containers and cloud-scalability solutions such as Kubernetes and Helm, demand data protection solutions offering forward compatibility with cloud-first initiatives.

Thales’s CipherTrust Data Protection Gateway addresses these challenges by offering transparent data protection to any RESTful web service or microservice leveraging REST APIs. The Data Protection Gateway is deployed in front of the web service within the pod and operates transparently to all clients on the network. The Data Protection Gateway intercepts RESTful API calls and performs data protection operations based on policies defined centrally in CipherTrust Manager. The solution operates seamlessly with other components such as ingress services used to terminate SSL.

By moving the complexity of data protection into CipherTrust Manager, the Data Protection Gateway offers a true separation of duties in a DevSecOps world:

  • DevOps orchestrates deployment of the Data Protection Gateway
  • Sec creates protection and access policies
  • Together, DevSecOps configures each deployment of the Data Protection Gateway

The Data Protection Gateway also offers granular access controls to the data through policies defined in the CipherTrust Manager offering dynamic data masking features. And access policies allow you to define “per user” how the data will be revealed:

  • Plaintext
  • Ciphertext
  • Error Replacement Value (return nothing or predefined value)
  • Masked (first 4, last 4, custom, etc)


Thales’s Data Protection Gateway is part of the CipherTrust Data Security Platform, which combines data discovery, classification, and protection with unprecedented granular access controls and centralized key management. This simplifies data security operations, accelerates time to compliance, secures cloud migrations, and reduces risk across your business. You can rely on the Thales CipherTrust Data Security Platform to help you discover, protect, and control your organization’s sensitive data, wherever it resides.


The Data Protection Gateway is deployed as a container and is fully compatible with Kubernetes orchestration systems, such as Helm, Ansible, Terraform, and Kubernetes horizontal scaling. It can also be deployed as a standalone container for development and testing as well as legacy production deployments.


The Data Protection Gateway is one of several application-layer data protection offerings from Thales. CipherTrust Application Data Protection offers data protection from within applications with assistance from developers. CipherTrust Database Protection offers transparent, column-level data protection for a wide range of databases. Finally, CipherTrust Batch Data Transformation offers high-performance Static Data Masking for databases and structured files.

Protection Methods

DPG enables the data security admin to define a security policy by selecting from an ever-growing list of encryption algorithms across the AES, DES, and FPE families.

CipherTrust Data Protection Gateway Product Brief