CDW Taps Linoma for Database Encryption
February 25, 2009 Alex Woodie
When CDW needed a way to encrypt the data in its i5/OS business applications, the computer retailer turned to Linoma Software and its Crypto Complete offering. While the product provided a relatively straightforward method for automating the encryption of fields in DB2/400, the real challenge for CDW was determining which System i programs and users should have access to the decrypted data.
CDW is a longtime and satisfied user of the IBM System i midrange server. The company, primarily operates as an a direct sales, Internet sales, and catalog retailer of technology solutions for business, government, and education, shipping hundreds of thousands of PCs, servers, networking gear, shrink-wrapped software and many other products from two giant distribution centers in Illinois and Nevada. The privately held company had 2007 annual revenues of $8.1 billion, is ranked 34 on Forbes’ list of America’s Largest Private Companies, and employs 6,900.
CDW needed to ensure that its operations complied with the requirements of the Payment Cardholder Industry Data Security Standard (PCI DSS). Since the company runs a good deal of its back-office operations, including order management and warehouse management, on IBM System i (Power Systems) servers, any PCI remediation project would need to take the System i into account.
One of the most important elements of PCI compliance is encrypting sensitive data, such as customers’ credit card numbers. While IBM provides encryption APIs in the i operating system, many System i customers instead choose third-party products that leverage the IBM i capabilities under the covers, but present a more easily understood and usable interface for managing encryption process and encryption keys on the i server.
This was the situation faced by Pamela Johnson, CDW’s database administrator for the System i server, who was tasked with helping CDW implement an encryption solution to protect customers credit card information stored on the System i server as part of the PCI compliance project.
“I was one of the people that was leaning to a complete solution, to go to an outside product,” Johnson said. “I know it was kicked around, whether we could write stuff [using the IBM APIs], but I think in the time given and the staff, that just wasn’t a feasible solution. So we immediately looked for some outside solutions to see what was available.”
CDW asked Linoma and one other third-party software vendor to demonstrate their encryption solutions. Both of the companies’ products performed similarly well, and brought similar features for managing keys and other capabilities. In the end, the decision on which product to go with was made by CDW’s management, including Barry Berndsen, the company’s System i manager.
Berndsen explains how the decision was made earlier this year. “We realized we had to better encrypt the data to become PCI compliant,” he says. “After we had the initial audit, we started looking for a product that would handle the encryption for us. As far as why we chose Crypto Complete, it fit our needs, was easy to implement based on our conditions, and finally, the price was right.”
Following management’s decision, it fell to Johnson and others to implement Crypto Complete, which Linoma introduced in September 2007.
Implementing encryption software poses unique challenges. It’s one thing to encrypt database fields at one sitting, and protect them with a key. But production databases do not sit still for very long. They are constantly serving requests to hundreds of different applications, and being updated by programs and users. Because each program request for sensitive information must be accompanied by the proper authorization and decryption key, an encryption project must take all of these other programs and the flow of sensitive data into account, and that’s where things get tricky.
Crypto Complete is Linoma’s second encryption solution (its first, Transfer Anywhere, was primarily a file transfer tool with encryption capabilities), so the company was well aware of the challenges posed by implementing encryption into existing business processes and integrating Crypto Complete with other applications.
Johnson was impressed with the flexible capabilities of Crypto Complete, especially the straight forward APIs that decrypt data within authorized programs. “The APIs are pretty much plug-in type processes, so it’s not like you have to recode your whole program, but you have to identify the points where changes need to be made,” she says. “We only had to retool those programs that decrypt the data . . . And I think there were between 350 and 375 programs that needed to be touched.”
CDW’s implementation of Crypto Complete began in December, and was finished about four months later. That took into account the training, analysis, integration, testing, and implementation work. During the implementation and testing phase, Johnson worked closely with Ron Byrd, one of Linoma’s senior engineers, who proved especially beneficial to CDW’s implementation and Johnson’s work on the project. “I did have an enormous amount of support from Ron Byrd, “Johnson says. “He was able to answer a lot of questions” of a technical nature that weren’t addressed in the manual, she says.
Byrd was especially helpful in solving a problem that CDW had concerning a limitation on the size of the external database file that stored the encrypted data. According to Johnson, Crypto Complete’s size limit would be exceeded once the system was put into production on CDW’s System i servers. It was a potential deal-breaker, but Byrd acknowledged the problem and worked quickly to get it fixed before CDW’s project deadline in early April. (The fix has since made it into the product with a subsequent update.)
Johnson had nothing but praise for Byrd, who also helped CDW ensure that Crypto Complete was compatible with its MIMIX high availability software. “Ron was great about the whole thing. If he was going to be out for several days, he would let me know,” Johnson says. “He was almost like a working partner within my own organization. . . That’s not usually what takes place when you buy a third-party product. I have to be honest and give credit where credit is due.”
In the end, Crypto Complete satisfied CDW’s PCI requirement for encryption of credit card data, and Linoma scored points with its technical service. “There’s a little bit of a learning curve, but the product is performing and doing what it’s supposed to do,” Johnson says. “All in all there were some road bumps, but not complete stops . . . I feel that in working with Linoma’s technical staff, the issues I reported were addressed in a timely manner.”
Editor’s Note: This story is largely based on a written transcript of an interview with CDW that was performed by Linoma Software and provided to IT Jungle.