Security Capability¶
The Security capability exposes four independent sub-capabilities for data protection.
Sub-Capabilities¶
| Sub-Capability | Purpose | Operations |
|---|---|---|
| Classification | Identify and label sensitive data | classify, tag, score_risk |
| Encryption | Encrypt/decrypt data at field level | encrypt, decrypt, rotate_keys |
| Tokenisation | Replace sensitive values with tokens | tokenise, detokenise, validate |
| Secret Management | Resolve and manage secrets | resolve_secret, rotate_secret, validate_access |
Classification Contract¶
public interface ClassificationContract extends BaseProviderContract {
ClassificationResult classify(String fieldId, Object value);
void tag(String fieldId, String classification);
RiskScore scoreRisk(String fieldId);
}
Returns: field identifier, classification label, confidence score (0.0–1.0), applicable policy references.
Encryption Contract¶
public interface EncryptionContract extends BaseProviderContract {
EncryptionResult encrypt(byte[] data, String keyReference);
byte[] decrypt(byte[] ciphertext, String keyReference);
void rotateKeys(String keyReference);
}
Supports field-level encryption with different keys per classification level.
Tokenisation Contract¶
public interface TokenisationContract extends BaseProviderContract {
String tokenise(String sensitiveValue);
String detokenise(String token);
boolean validate(String token);
}
Replaces sensitive values with tokens; persists the token-to-value mapping.
Secret Management Contract¶
public interface SecretManagementContract extends BaseProviderContract {
String resolveSecret(String secretId);
void rotateSecret(String secretId);
boolean validateAccess(String secretId, String principal);
}
Secret values are never exposed in logs, metrics, or event payloads
Pipeline Configuration¶
Safety Guarantees¶
- If any security operation fails, the affected stage is halted
- Data never proceeds downstream in an unsecured state
- All security operations are recorded as audit events through Echo within 5 seconds
Example Providers¶
| Provider | Sub-Capability |
|---|---|
| HashiCorp Vault | Secret Management, Encryption |
| AWS KMS | Encryption, Secret Management |
| Protegrity | Tokenisation, Classification |
| Azure Key Vault | Secret Management, Encryption |
| Custom ML Classifier | Classification (PII detection) |