Large amounts of data are stored in databases, such as enterprise databases. Much of this data includes confidential or otherwise sensitive information. As a result, enterprises often utilize tokenization to hide the values of potentially sensitive data in their databases. This tokenization process can consist of replacing the data values in a database with token values. The token-to-data value relationship may be stored in a vault, which may be encrypted to prevent unauthorized access and ensure that only permitted users may access the real values of the tokens in the database. Alternatively, rather than storing the real data values in the token vault, the token vault may be used to extract a real data value that is embedded in a token via a decryption process.
When an authorized user wishes to access the data in the database from an application, that application has the responsibility of identifying the authorized user, and replacing the tokens with the real values. Additionally, if an authorized user wishes to add new data to the database, the application has the responsibility of tokenizing the new data prior to adding it to the database. This places additional burdens on the application and requires the application to be in communication with the token vault, as well as the database. For example, if the user enters a data value to add to the database, the application first has to tokenize the data value, then add the token-to-data values relationship to the vault, and then transmit the tokenized data value to the database.
As a result of being responsible for most of the tasks related to tokenization, the application must be heavily customized in order to integrate the particular tokenization Application Programming Interface (API) used by each database provider, and cannot be utilized with the APIs of other database providers or tokenization providers.