Data Encryption Made Easy
Date Posted: April 01, 2008 12:00 AM
Author: John Ghrist

The need to protect enterprise data from interception and misuse, or unauthorized change, becomes more acute every day. The best way to protect data is by encrypting it so unauthorized individuals can't understand or use this information even if they manage to gain access to places where the data resides, such as databases and electronic transmissions. Attempting to build a custom encryption solution requires extensive familiarity with encoding algorithms and standards, compliance-regulation requirements, and other background expertise that may not be readily available.

Fortunately, there is a solution for the System i that can provide a fast path through the maze of requirements and specifications to provide automated encryption for System i data. This product is Linoma Software's Crypto Complete.

I've Got a Secret

Crypto Complete will encrypt database fields (see Figure 1) without requiring changes to application code or database fields or implementing complex APIs. It also provides a clear and organized way of administering multiple sets of encryption keys. Crypto Complete is a product designed to help enterprises implement encryption rapidly without requiring expertise in this technology.

Crypto Complete can protect sensitive data such as Social Security numbers, bank-account numbers, and credit card numbers. Protecting the latter is a requirement of the Payment Card Industry Data Security Standard (PCI DSS), which applies to enterprises that store, process, or transmit credit card data.

Crypto Complete offers strong encryption with key lengths up to 256 bits with support for the Advanced Encryption Standard (AES) and the Data Encryption Standard (TDES) algorithms. The product can encrypt both alphanumeric and numeric database fields, encrypt small database fields without requiring field expansion, and enable periodic rotation of encryption keys without the need to re-encrypt existing data. In addition, it provides audit trails for encryption-key management and encryption activity.

Key Management

Crypto Complete includes a Key Management Facility that allows authorized users to create and manage key stores and symmetric keys for encrypting data. The product protects the symmetric keys with master keys, which authorized users can regenerate only by entering the exact combination of passphrases. An enterprise can have up to eight master keys per environment on the System i, for example, establishing a different master key for each company division.

Crypto Complete's Key Management Facility enables enterprises to control and track key activity on the system. Key features in Crypto Complete include the ability to establish policy settings on how authorized users can create and use symmetric keys (i.e., keys that can be used to both encrypt and decrypt data), indicate which users can create and manage keys, organize symmetric keys into one or more key stores, restrict user access to certain key stores, and restrict retrieval of symmetric key values. Enterprises can also create separation of duties within Crypto Complete. For example, restricting the creator of keys from being able to use those keys to encrypt or decrypt data.

Crypto Complete enables designation of a special set of users, called Key Officers, who can create and manage master keys, symmetric keys, key stores, and field encryption registries. Enterprises can divide key management duties between multiple Key Officers. For example, one Key Officer may have the rights to create only master keys, while another Key Officer has the rights to create only key stores and symmetric keys.

Automated Field Encryption

Crypto Complete implements database field encryption via the Field Encryption Registry. The Registry allows authorized users to designate which database fields to encrypt within their files. For each field, the user can designate which keys and encryption algorithms to use, along with other details. Authorized users can also designate specific fields for which Crypto Complete is allowed to automatically encrypt their values when database records are added or when field values are changed in applications. For additional security, Crypto Complete enables key rotation for fields at any time without requiring re-encryption of protected data.

Watching the Watchers

Crypto Complete includes multiple audit trails. For example, it tracks when Key Officers are changed, when any key policy settings are altered, when any functions are denied due to improper authority, when master keys or symmetric keys are created or changed, and when fields are set up or changed in the Registry. Managers can filter and view these audit trails by audit type, date/time range, and user ID.

Crypto Complete includes some additional features that can help simplify the management of applications and data in an encryption environment. Authorized users can configure Crypto Complete to operate within multiple System i environments, for example, to support several different enterprise divisions, each with its own specific settings and keys. In addition, the product includes a defined process that organizations can use for disaster-recovery and high-availability systems in order to retain master keys, key stores, user settings, and Crypto Complete itself. Finally, in case an organization prefers not to use the automated encryption feature in Crypto Complete, it can instead use the included product-function APIs for ILE RPG, ILE Cobol, and ILE C within their applications to encrypt the field values.

Data protection via encryption shouldn't be put off simply because of lack of developer experience with encryption and its associated technologies and requirements. Crypto Complete offers a one-stop solution that's compliant with major standards and that enterprises can implement with a minimum of hassle.

John Ghrist is senior products editor for System iNEWS.

Solution Spotlight is a feature of System iNews that provides more in-depth coverage of significant System i products. Offerings are selected for Solution Spotlight by System iNews editorial staff, based on staff perception of the product as either new or innovative, or because the product is the subject of extensive discussions in Internet forums on SystemiNetwork.com and elsewhere.

Linoma Software

800-949-4696 cryptocomplete.com

Requirements: V5R2 or later; 50 MB of disk space for installation

Related Content:


 
There are no comments to display. Be the first to add your thoughts!
You must log on before posting a comment.

Are you a new visitor? Register Here
 

around the forums

PASE - HTMLDOC (Scott's binary version) Error: please Help!
Forum Name: RPG
16 May 2012 01:58 PM | Replies: 3
IFS directory structure
Forum Name: Systems Management
16 May 2012 11:52 AM | Replies: 2
IFS folder/file authority
Forum Name: Communications/Networking
16 May 2012 08:45 AM | Replies: 6
subscribe to this feed

ProVIP Sponsors

BCD

Join Our Community!

Subscribe today to iPro Developer! iPro Developer is packed with technical know-how for developers of IBM i, iSeries, AS400 and System i. Sign up now to get your full subscriber benefits including:

  • Code available for download
  • Full access to the online article archive (including all System iNEWS ProVIP content)
  • Downloadable ebook with past 6 months of articles
  • Discounts on eLearning classes, self-paced training, in-person events, and more!
iPro Developer Newsletters
  • Get the Latest News
  • Product Updates
  • Helpful Tricks
  • Productivity Tips