Automating Database Encryption Expands Linoma’s Portfolio
September 4, 2007 Dan Burger
Everyone seems to completely comprehend the importance of data encryption. The loss of sensitive data, whether it pertains to customers, employees, or trade secrets, can put a lot of folks in a world of hurt. So why, then, are so few organizations doing it? Probably the biggest obstacle has been the difficult and time-consuming encryption implementation process. Linoma Software hopes to lower that hurdle with the introduction of its new product called Crypto Complete.
Linoma has been developing encryption tools for several years. It has products, such as Transfer Anywhere, that make use of various encryption technologies, such as the SSL and SSH that are used for transmitting files (with trading partners, for instance), as well as the AES, Open PGP, and ZIP technologies that are used in encrypting backup libraries, objects, and IFS files that are stored on tape, disk, and other devices.
Bob Luebbe, Linoma’s president, says the company’s customers have been asking for encryption on database files. “It is being driven by the PCI standards for the credit card industry, and started off as a focus on credit card numbers, but then it expanded to things like bank account numbers, social security numbers, and wages,” Luebbe says. “The pressure is on to protect the information of customers and employees.”
Crypto Complete is designed to automate the complex encryption of database files that are incorporated into applications. Every program that places data in the database file calls out APIs that encrypt information on the screen before storing it in the database.rnSome of the changes required are extensive. And when certain data–a social security number, for instance–gets entered into multiple programs, the changes need to be made in each location.
“We looked for a way to automate those program changes,” Luebbe says. “No one in the marketplace was doing that. We wanted to alleviate the time and effort part of doing encryption. It’s complex and time consuming. You have to understand how encryption works and how key management works. A lot of shops have no exposure to encryption.”
The companies that have undertaken this task dedicated the people resources to get through it, but Luebbe says the mid size and smaller companies that are mandated to encrypt credit card numbers are being overwhelmed with the learning curve and the amount of changes they have to make. Because it is such a monumental effort, they have put it off.
Crypto Complete makes use of encryption algorithms that have been built into the IBM i5/OS operating system since V5R1. “We are an IBM business partner and so we worked with them as our ideas developed,” Luebbe says. “We built the management screens and commands around the IBM APIs and just made them easier to use.”
The encryption process starts with a screen where the database to be encrypted is registered. The user gives the command to encrypt a specified field, notes the file where that field resides, and notes the encryption key that is being used. Crypto Complete will encrypt all the data in that field. It uses triggers on the files that will trap updates or additions to that file and automatically encrypt that field. No manual changes are required, and this includes the major benefit of not needing to modify application programs.
On the decryption side, complete automation would defeat the purpose of encryption. So you need to purposely code the applications that initially needed the encryption. However, instead of having 30 parameters to pass, like you might have without the automation Crypto Complete provides, you may have only six.
The amount of programming required on the decryption side will vary depending on the type of application. It could be a single program, such as an order view screen that contains sensitive information. In another case, there could be multiple screens and multiple applications to modify. The authorized programmer is in control of where the decrypted values should be shown. The more fields you are encrypting, the more changes are necessary on the decryption side.
“With our APIs, we have simplified the process,” Luebbe says. “IBM has tried to provide every potential option that any customer could want for a particular function, which gives them really complex APIs. We focused on the databases that a specific customer wants to decrypt and we know what key to use and the decrypted value.”
Another time-saver built into Crypto Complete takes into account the hassles of dealing with field sizes and lengths. To begin, numeric fields cannot store encrypted data because they only hold the numerals zero through nine. Encrypted data uses the entire hex decimal set from zero to 255 with a combination of numbers, letters, and special characters.
Normally encryption requires a certain build size. It is 16 characters in a lot of cases. That causes a problem, for instance, with Social Security numbers, which are only nine digits long. Expanding the field length to hold at least 16 bytes of encrypted data is one of those tasks that can be very time intensive.
Linoma designed Crypto Complete to encrypt numeric fields as well as small fields. It did this by allowing users to store the encrypted value in an external file. However, files stored externally remain just as manageable as if they were stored internally. This does require an extra database I/O, but Luebbee says its impact has been minimized.
“Most systems have so much horsepower that this additional database I/O will be insignificant,” he says. “If you have a machine that is already overloaded and users are already experiencing long response times, making this step certainly won’t help. But in the testing that we’ve done, and from what our beta customers have told us, there has been no noticeable impact to their response times.”
The area of key management is also important to encryption. Safeguards need to be in place to prevent key access by unauthorized personnel who can then decrypt data. Crypto Complete measures up to stringent PCI requirements in this area.
In the past, key changes required decrypting all existing data that used that key. Then that data was re-encrypted with the new key. This was not a big problem for organizations that only changed keys every couple of years. But some companies are now rotating keys as frequently as every 90 days. Others are on twice a year schedules.
With Crypto Complete, Linoma made it easy to change the key at any time and any new data will be encrypted to that new key immediately. There are provisions for keeping track of which keys are used and which records they are protecting. It is possible to re-encrypt the old data and bring everything up to the new key. It is automated, but if millions of records are in the file, it’s going to take some time.
Crypto Complete also has SQL capabilities. “We realized a lot of people are not only coding green-screen applications in RPG or COBOL, but they are also hitting their database with Java and C and Web apps,” Luebbe says. “So we developed a function in stored procedures that users can call from those other distributed languages so they can, with the proper authority, have encrypted and decrypted data. We are taking care of both the green-screen and the GUI/Web world so they can have access to data.”
For more details on Crypto Complete, see the Linoma Software Web page. The product is available as of today. Pricing, which is based on processor group, begins at $3,995 and ranges up to $14,000.