Individual pieces of data, or, in data lakes, sets of data, are actually encrypted with unique keys. It uses an envelope encryption scheme to protect the data. Those keys are then encrypted with the master key for that segment of data. When you want to process data for analytics or ML or whatever, you add a decrypt step into your data pipeline. That decrypt step may need to call out to the customer's key management server to ask it to unwrap an encrypted key. But we also have a feature called "leased keys" that makes this much faster and more resilient to network issues. Think of it like another layer of envelope.
If the tenant is holding the keys, how vendor will get access to the data to run ML?
Individual pieces of data, or, in data lakes, sets of data, are actually encrypted with unique keys. It uses an envelope encryption scheme to protect the data. Those keys are then encrypted with the master key for that segment of data. When you want to process data for analytics or ML or whatever, you add a decrypt step into your data pipeline. That decrypt step may need to call out to the customer's key management server to ask it to unwrap an encrypted key. But we also have a feature called "leased keys" that makes this much faster and more resilient to network issues. Think of it like another layer of envelope.