How is Auditing & Authentication Handled?

This is one of many aspects of the Senzing API that our customers LOVE. Senzing is a library that is embedded in other things and connects to a database, with no moving parts, no network access, etc. As such, we operate as a library, and the workflow/processes that call the Senzing API are the components that control secure access. 

We do not require the use of any particular auditing, authentication, and authorization frameworks. You would use your corporate standard mechanisms to implement those capabilities in your use of Senzing as well as the database it connects to, and do not have to deploy/learn a completely new stack.

Our Senzing Community assets are all open source (Apache 2.0) and built on some of the most popular industry standards. This allows you to incorporate and lock down these components much more readily than closed and proprietary capabilities.

A helpful article on Senzing Architecture is related to this topic.

Is Senzing Data Encrypted At Rest?

Yes, it can be. Encrypting Senzing's data at rest is handled by the specific data store being used.

Database encryption can have significant performance implications, so please involve your IT team and make sure they have reviewed some of our key documents:

• Tuning Your Database
• Disk I/O Performance

How can I prevent my DBA from seeing data?

Senzing has the ability to do application-level encryption in addition to what your database, operating system, and hardware do on their own.  This is done with zero degradation in Senzing quality and encrypts/decrypts all PII-related columns in the schema on the fly.

This is done via a plugin architecture.

• You use your encryption and key management standards
• You can scan/review the code to confirm that the cryptography meets your IT security mandates
• Support for deterministic and non-deterministic encryption
• Multiple keys can be used
• Non-PII data is not encrypted, so the entity graph, as stored in the DB, is easily extracted without disclosing PII

The plugin itself is a C library, but can be written in other languages.

• C interface
• C example
• CGo example (works in Linux only)
• RustC example (upcoming)

When deployed, this makes it so even the DBA is not seeing PII and can be added as part of your corporate strategy to reduce the risk of unintended disclosure.

Can I Anonymize Fields At Source Systems Before Submitted To Senzing?

There is an advanced Senzing feature called Selective Feature Hashing that allows data owners to one-way hash selected fields (e.g., driver's license and date of birth) before the data is submitted to Senzing for Entity Resolution.

Here are a few articles on the concept and method:

• To Anonymize or Not Anonymize, That is the Question
• Privacy by Design in the Era of Big Data

NOTE: This is an advanced feature that currently requires consultation.

Top tip time!