Crypto Complete vs IBM APIs
If your organization is thinking about using (or is using) IBM's Cryptographic APIs (e.g. QC3ENCDT, Qc3EncryptData) for encrypting database fields, then read on...
We believe the IBM i operating system does not offer an out-of-the-box solution for database field encryption, especially considering the requirements for integrated key management, controls and audit trails. Therefore, organizations must decide if they should attempt to build their own custom encryption solution (around IBM's APIs) or acquire a 3rd party product to meet their needs.
Your programmer's may think that building a custom encryption solution using IBM's APIs would be a "fun challenge". However, the programming time and costs can become significant. Furthermore, if a custom encryption solution is not implemented correctly, the potential liabilities can be extremely high for an organization.
Listed below are the issues and questions that need to be addressed by organizations which are considering building their own custom solution.Building a Custom Solution
If an organization is considering building their own custom encryption solution, they would first have to become very knowledgeable about any regulations and PCI requirements which govern their organization. Their development staff would also have to learn how to properly implement encryption/decryption technologies, as well as become an expert in proper key management and security/auditing requirements.
Organizations which have tried to implement their own custom encryption solution have experienced a multitude of issues and shortcomings, some of which are listed below:
- IBM’s encryption APIs have a steep learning curve and can be difficult to implement correctly with the right settings.
- Significant application changes must often be made to call the encryption APIs whenever sensitive data is added or changed.
- Database field definitions often have to be changed to accommodate the resulting encrypted data (i.e. changing field types from numeric to alpha and/or expanding field sizes).
- Sensitive data is not encrypted when entered/changed outside of the applications (i.e. using database utilities like DFU).
- Key management often does not meet the stringent PCI requirements.
- There is a lack of controls on who can create and manage keys.
- Key values are often not properly protected from unauthorized use.
- It is difficult to rotate keys without re-encrypting all existing data.
- Audit trails are typically non-existent or limited.
- In-house programmers know too much about the custom solution, increasing risk to the organization if the programmers leave the company.
- A custom solution typically does not address enterprise needs.
The significant amount of time and money that would need to be expended for the development, testing and documentation of a custom encryption solution is not practical for most organizations. A custom solution may also have liability implications if it is not implemented properly and does not meet the various regulations and PCI requirements.