If your organization is thinking about using (or is using) IBM's Cryptographic APIs (e.g. QC3ENCDT, Qc3EncryptData) for encrypting database fields, then read on...
We believe the IBM i operating system does not offer an out-of-the-box solution for database field encryption, especially considering the requirements for integrated key management, controls and audit trails. Therefore, organizations must decide if they should attempt to build their own custom encryption solution (around IBM's APIs) or acquire a 3rd party product to meet their needs.
Your programmer's may think that building a custom encryption solution using IBM's APIs would be a "fun challenge". However, the programming time and costs can become significant. Furthermore, if a custom encryption solution is not implemented correctly, the potential liabilities can be extremely high for an organization.
Listed below are the issues and questions that need to be addressed by organizations which are considering building their own custom solution.
If an organization is considering building their own custom encryption solution, they would first have to become very knowledgeable about any regulations and PCI requirements which govern their organization. Their development staff would also have to learn how to properly implement encryption/decryption technologies, as well as become an expert in proper key management and security/auditing requirements.
Organizations which have tried to implement their own custom encryption solution have experienced a multitude of issues and shortcomings, some of which are listed below:
The significant amount of time and money that would need to be expended for the development, testing and documentation of a custom encryption solution is not practical for most organizations. A custom solution may also have liability implications if it is not implemented properly and does not meet the various regulations and PCI requirements.