Technical Architecture

Overview of the DSG technical architecture

System architecture

Protegrity Gateway Technology products are assembled on a layered architecture. The lower layers provide the foundational aspects of the system such as clustering and protocol stacks. The higher layers are specialized and provide various business functions. They are building blocks that instruct on how the gateway should act on data. Some of these building blocks include functions such as decoders for various data formats as well as data transformation for cryptography.

The gateway architecture provides standard out-of-the-box building blocks. These building blocks can be extended by the customer at each layer as per their requirements. These requirements can be security-related or requirements that will aid the customer in processing data.

The following figure shows a view of the gateway system architecture.

Gateway System Architecture

Platform

The Platform Layer runs on top of customer-provided hardware or virtualization resources. It includes an operating system that has been security-hardened by Protegrity. The infrastructural layer running above it called the Protegrity Appliance Framework.

The Protegrity Appliance Framework is responsible for common services, such as inter-node communications mechanisms and clustering. Data communicated through the platform layer is passed onto the Data Collection Layer for further processing.

Data collection

The Data Collection Layer is the glue between the higher layers of the gateway and the external world. It is responsible for ingesting data into the gateway and passing it on higher layers for further processing. Likewise, it is responsible for receiving data from the higher layers and outputting it to the external world. In the TCP/IP architecture terms, this is the transport/application protocol layer of the gateway architecture.

The primary method through which gateway interfaces with external world is over networking. Data is typically delivered to and from the gateway by means of application-layer protocols such HTTP, SFTP and SMTP. The gateway terminates these protocol stacks. These protocols can be extended to any protocol that a company has created for their own requirements. Custom protocols can be creating using the gateways’ User Defined Functions (UDFs).

Data delivered through these protocols are passed to the Data Extraction Layer for further processing.

Data extraction layer

The Data Extraction Layer is at the heart of fine-grained data inspection capabilities of the gateway. The Data Extraction layer is split into two logical functions:

  • Codecs: These are the parsers or the data encoders/decoders targeted at following individual native formats:

    • XML
    • JSON
    • PDF
    • ZIP
    • Open-Office file formats such as DOCX, PPTX, and XLSX.
  • Extractors: These are responsible for fine-grained extraction of select data from data outputted by the codec components. These include mechanisms such as Regular Expressions, XPath, and JSONPath.

The subsets of data extracted by the Data Extraction Layer are passed up to the Action Layer. Here, they may be transformed for data security or acted upon for some other business logic. Transformed data subsets received from the Action Layer are substituted in their original place in the original payload. The modified payload is encoded and delivered down to the Data Collection layer for outputting to the external world.

The building blocks in this layer can be extended to include custom requirements through UDFs. UDFs enables customers to build and extend the gateway with their own data decoding and extraction logic using Python programing language.

Data extracted from payloads is passed to the Action Layer for further processing.

Action layer

The Action Layer is responsible for operating on the data passed on to it by the Data Extraction Layer. The data extracted is acted upon by actions in the Action Layer.

Operating on this data may include transforming the data for security purposes. This includes the following data security capabilities offered by the core Protegrity:

  • protection by means of encryption or tokenization
  • un-protection
  • re-protection
  • hashing
  • masking

This layer also includes a UDF component. It enables customers to extend the system with their own action transformation logic using Python programming language.


Configuration over Programming (CoP) Architecture

Overview of the Configuration over Programming (CoP) concepts

Dynamic Configuration over Programming (CoP)

Types of CoP.

Last modified January 21, 2025