Kafka applications that are handling sensitive data require more than encryption to the "end". Where's the "end"? What you need to meet modern data governance expectations are guarantees that the intended applications are exclusively the apps that can participate in a message stream. Ockam moves trust to the application layer by building a mutually authenticated and encrypted communication channel between all of your Kafka apps through your Kafka brokers.

Encryption isn't just about adding privacy, it also gives you guarantees of data integrity and trust in the authenticity of what your data consumers have received. Ockam's whole message encryption means your data consumers can have confidence that the data they receive has not been tampered with in-flight. Nor has an attacker been able to re-use access credentials to impersonate a producer.

For scenarios where you want to relax data privacy requirements we also support field-level encryption so that you can have specific granular controls over which fields to encrypt, and which consumers are permitted to read them.

Sharing secret keys across many apps and services increases the likelihood of secret keys leaking, in addition to eroding any guarantees that only intended apps can access sensitive data. Teams then layer in additional credential management approaches, network-level controls, and various other security approaches in an attempt to have a somewhat reliable assumption that only the intended app(s) were able to use the shared secret keys.

With Ockam, each Kafka app generates it's own unique cryptographically provable identity and encryption keys, and uses those keys to establish trusted secure channels directly with other authorized apps as required.

Whether it's reading a credential or secret value from a central source, or transmitting a secret key to another app, every time a secret value is transmitted over the wire is another opportunity for it to leak. Ockam's approach to secret management means each secret key never needs to leave the place where it was generated. By removing the need to transmit secrets the risk of an attacker intercepting a secret in transit is also removed.

Everyone hopes they never have a data breach, but to minimize the impact incase the worst happens Ockam apps automatically and regularly rotate their encryption keys. If a secret key is ever leaked the data at risk is reduced to the amount sent in the small window of that secret key was active. Don't put your historical and future data at risk because rotating secret keys is difficult — it's built-in from the start.

The approach to mutual authentication of every app that Ockam provides results in strong data governance guarantees around the authenticity and integrity of the messages moving through your system.

Nobody loves running their own PKI. It's complicated, you still need to work out how to securely handle your root certificate and keys, have policies around lifecycle management… a lot of extra infrastructure and orchestration.

With Ockam, each app generates keys and establishes trust directly there's no need to run your own PKI systems.

The Kafka add-on for Ockam can work with any language. You've the flexibility to write your producers and consumers in a mix of Java, Python, Go, Scala, you name it!

Just a single configuration change: update the broker host to point to the secure channel that Ockam sets up on localhost for each app. It takes a couple of seconds, and won't require you to change any of the business logic or implementation in your apps.

Running Kafka yourself? Maybe a managed offering inside you own VPC? Ockam works wherever you need it.

Ockam's agnostic to network-level and cloud-specific features. Run a mix of apps across the major cloud vendors to access specific value-add services without the complication of configuring secure cross-cloud access to a specific KMS or setting services like Private Link or VPC Peering.

Ockam's approach uses existing and well established open source technologies and frameworks. We build trust through transparency so your CISO can be confident everything meets their requirements. The cryptographic and messaging protocols are publicly documented and the implementations are open source and available on GitHub.

We've published an independent third-party audit by the security research firm Trail of Bits, we've passed the security reviews of our major partners, and we're SOC2 compliant.

The current status of our latest audits and compliance controls are also available.

All of these features are available and production ready, today. There's no waiting to get accepted into a beta program, for a professional services team to draft a statement of work, or to even speak to our sales team (though we would still love to speak with you!). You can create an account for free and have Ockam securing your Kafka environment within minutes.