Safeguard Your Data with Shield

Learn how to manage your tenant data encryption with Reltio Shield. If you are a customer administrator whose Reltio tenant is configured on the AWS Cloud platform, this topic is for you.


Protecting sensitive customer data is increasingly important in today’s world of heightened data privacy sensitivity. Reltio Shield gives you peace of mind by providing effortless management of data encryption using a Customer Managed Key (CMK). This can greatly simplify meeting your organization’s compliance obligations.

Shield encrypts persistent data when written to Reltio platform data stores using your CMK encryption keys . Encryption is performed transparently without impacting customer experience. Simplified management tools allow you to schedule automatic periodic key rotation where all data is re-encrypted for improved security with zero downtime. You can also trigger key rotation on demand. Shield empowers you to manage the lifecycle of your encryption keys.

Note: Shield is an add-on subscription and is currently supported on the Amazon Web Services (AWS) platform.


Shield offers the following key benefits:

  • Empowers you to generate your own AES 256-bit encryption keys to safeguard your data. You can generate new keys (Customer Managed Key - CMK) in accordance with your organization defined security policies and practices.
  • Helps your organization comply with common compliance and data privacy standards such as PCI DSS, HIPAA/Hitech, and GDPR.
  • Encrypts data transparently without affecting existing applications or users with negligible performance degradation.
  • Allows new keys to be generated on demand or automatically on a schedule with background re-encryption of data. New keys are automatically distributed via secure automated processes, with no service downtime and without involvement or handling by Reltio staff.
  • Captures all activities performed on Shield in audit logs, such as when keys are created, when keys are rotated, and when changes to key rotation schedules are made. This improves time to detect and time to resolve security issues.
  • Protects data access via fine grained access controls, supporting policies such as full access, administrative access, and blocked. This can prevent root users on hosts from seeing the data in clear text while still allowing them to perform their administrative functions.


Shield provides the following functionality, which are grouped into three categories:

  • Data encryption: encrypting data as it is written to and read from data stores.
  • Key rotation: introducing a new encryption key and re-encrypting old content with the new key as a background job.
  • Operational support: tools for proactively monitoring the health of Shield.

Data Encryption

  • Encrypts data held in Reltio using AES 256. AES 256 is considered one of the top encryption algorithms available today. AES has the additional benefit of being built into many processors, resulting in high encoding and decoding performance.
  • Maintains encryption keys with version control. Previous keys are retained to ensure that old content (including from backups) can continue to be decoded.
  • Uses the most recent encryption key. Older keys are only used to decode older content. Maintaining overlapping keys during key rotation is also required as re-encrypting large volumes of data can take some time to complete.

Key Rotation

  • Key rotation refers to re-encryption of the data using the latest key. This is typically performed after a new key is created.
  • Due to the length of time it requires, key rotations are performed live without system downtime. Shield automatically selects the correct key to decrypt data and the latest key to encrypt data.
  • Key rotations can be triggered manually in response to a security incident, such as when exposure of the current encryption keys occurs.
  • Key creation and rotation can be triggered automatically according to a schedule you define, for example every 6 months. This can be used to limit the exposure of data if staff are unaware that a security key has been compromised.
  • New encryption keys can be created with a specified time-to-live. This can be used in combination with scheduled key rotations to strengthen a security policy by ensuring content is not encrypted using an expired key (which may arise due to issues with scheduled key rotations).

Operational Support

  • Detailed audit logs of Shield access are maintained. Audit logs are a critical tool when investigating a security incident. These logs help you to investigate specific incidents or look for unusual patterns of activity.
  • Monitoring and alerting track system health and performance. Such tools can be used to identify minor issues before they become major issues.

Management of encryption keys

Now that you know a bit about Shield, let’s get to the most important and exciting part - who gets to own the encryption keys? Well, you can own it or you can ask us to own it. If you want to take control of your encryption, generate your own customer-managed key (CMK) Reltio Shield and use it to manage your tenant encryption from your AWS console.

For more information, see topic Get started with Reltio Shield.

Training Video

To gain an understanding on how Shield works, please take a look at the following video: