Technical Architecture

System architecture

Protegrity Gateway Technology products are assembled on a layered architecture. The lower layers provide the foundational aspects of the system such as clustering and protocol stacks. The higher layers are specialized and provide various business functions. They are building blocks that instruct on how the gateway should act on data. Some of these building blocks include functions such as decoders for various data formats as well as data transformation for cryptography.

The gateway architecture provides standard out-of-the-box building blocks. These building blocks can be extended by the customer at each layer as per their requirements. These requirements can be security-related or requirements that will aid the customer in processing data.

The following figure shows a view of the gateway system architecture.

Platform

The Platform Layer runs on top of customer-provided hardware or virtualization resources. It includes an operating system that has been security-hardened by Protegrity, along with an infrastructure layer above it known as the Protegrity Appliance Framework.

The Protegrity Appliance Framework is responsible for common services, such as inter-node communications mechanisms and clustering. Data communicated through the platform layer is passed onto the Data Collection Layer for further processing.

Data collection

The Data Collection Layer is the glue between the higher layers of the gateway and the external world. It is responsible for ingesting data into the gateway and passing it on higher layers for further processing. Likewise, it is responsible for receiving data from the higher layers and outputting it to the external world. In the TCP/IP architecture terms, this is the transport/application protocol layer of the gateway architecture.

Since the primary method by which the gateway interfaces with the external world is through networking, data is typically transmitted to and from the gateway using application-layer protocols such as HTTP, SFTP, and SMTP. The gateway terminates these protocol stacks. These protocols can be extended to include any custom protocol developed by a company to meet its specific requirements, using the gateway’s built-in User Defined Function (UDF) service.

Data delivered through these protocols are passed to the Data Extraction Layer for further processing.

Data extraction layer

The Data Extraction Layer is at the heart of fine-grained data inspection capabilities of the gateway. The Data Extraction layer is split into two logical functions:

• Codecs: These are the parsers or the data encoders/decoders targeted at following individual native formats, such as XML, JSON, PDF, ZIP, and Open-Office file formats such as DOCX, PPTX, and XLSX.

• Extractors: These are responsible for fine-grained extraction of selected data from within the larger data sets produced by the codec components. These include mechanisms such as Regular Expressions, XPath, and JSONPath.

The subsets of data extracted by the Data Extraction Layer are passed up to the Action Layer. Here, they may be transformed for data security or acted upon for some other business logic. Transformed data subsets received from the Action Layer are substituted in their original place in the original payload. The modified payload is encoded and delivered down to the Data Collection layer for outputting to the external world.

The building blocks in this layer can be extended to include custom requirements through UDFs. UDFs enables customers to build and extend the gateway with their own data decoding and extraction logic using the Python programing language.

Data extracted from payloads is passed to the Action Layer for further processing.

Action layer

The Action Layer is responsible for operating on the data passed on to it by the Data Extraction Layer. The data extracted is processed by actions in the Action Layer.

Operating on this data may include transforming the data for security purposes. This includes all the data security capabilities provided by the core Protegrity platform, such as encryption, tokenization, unprotection, re-protection, hashing, and masking.

This layer also includes a UDF component, enables customers to extend the system with their own action transformation logic using the Python programming language.