Crypto Complete vs IBM APIs
If your organization is thinking about using (or is using) IBM's Cryptographic APIs (e.g. QC3ENCDT, Qc3EncryptData) for encrypting database fields, then read on...
We believe the IBM i operating system does not offer an out-of-the-box solution for database field encryption, especially considering the requirements for integrated key management, controls and audit trails. Therefore, organizations must decide if they should attempt to build their own custom encryption solution (around IBM's APIs) or acquire a 3rd party product to meet their needs.
Your programmer's may think that building a custom encryption solution using IBM's APIs would be a "fun challenge". However, the programming time and costs can become significant. Furthermore, if a custom encryption solution is not implemented correctly, the potential liabilities can be extremely high for an organization. The average cost of a data breach is now over 6 million dollars!
Listed below are the issues and questions that need to be addressed by organizations which are considering building their own custom solution.Building a Custom Solution
If an organization is considering building their own custom encryption solution, they would first have to become very knowledgeable about any regulations and PCI requirements which govern their organization. Their development staff would also have to learn how to properly implement encryption/decryption technologies, as well as become an expert in proper key management and security/auditing requirements.
Organizations which have tried to implement their own custom encryption solution have experienced a multitude of issues and shortcomings, some of which are listed below:
- IBM’s encryption APIs have a steep learning curve and can be difficult to implement correctly with the right settings.
- Significant application changes must often be made to call the encryption APIs whenever sensitive data is added or changed.
- Database field definitions often have to be changed to accommodate the resulting encrypted data (i.e. changing field types from numeric to alpha and/or expanding field sizes).
- Sensitive data is not encrypted when entered/changed outside of the applications (i.e. using database utilities like DFU).
- Key management often does not meet the stringent PCI requirements.
- There is a lack of controls on who can create and manage keys.
- Key values are often not properly protected from unauthorized use.
- It is difficult to rotate keys without re-encrypting all existing data.
- Audit trails are typically non-existent or limited.
- In-house programmers know too much about the custom solution, increasing risk to the organization if the programmers leave the company.
- A custom solution typically does not address enterprise needs.
The significant amount of time and money that would need to be expended for the development, testing and documentation of a custom encryption solution is not practical for most organizations. A custom solution may also have liability implications if it is not implemented properly and does not meet the various regulations and PCI requirements.Building a Custom Solution - Questions
Listed below are questions that an organization needs to address if they are considering building their own encryption solution for the System i. For each question listed, we have indicated how the Crypto Complete product addresses the issue.
Data Encryption Keys
How will Data Encryption Keys be created (random, passphrase-based, manually entered)?
Crypto Complete allows an organization to specify (at the policy level) if Keys can be randomly generated, passphrase generated or manually entered. This provides flexibility and control in how keys are generated.
How will you control which users can create, change and delete Data Encryption Keys?
Crypto Complete allows an organization to specify the users (Key Officers) which are authorized to create, change and delete Data Encryption Keys. Even users with *ALLOBJ or *SECADM authority can be restricted from managing Data Encryption Keys.
How will you implement dual-control (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key)?
Crypto Complete allows an organization to specify (at the policy level) the number of password parts that must be entered to generate a Master key. Each password part can be required to be entered by a unique user id. This dual-control security feature prevents a single user from being able to reconstruct a Key on their own.
Where will the Data Encryption Keys be stored on the System i?
Crypto Complete stores Data Encryption Keys (DEKs) within Key Stores, which are created as *VLDL (Validation List) objects on the System i. The Keys stored within the Key Stores are encrypted with a Master Encryption Key and cannot be utilized without proper authority.
How will the Data Encryption Keys be protected from unauthorized use?
Crypto Complete allows an organization to secure access to the Key Stores (which hold the Data Encryption Keys) using System i object authority. If a user attempts to use a Key from an unauthorized Key Store, then that event will be logged in Crypto Complete’s audit journal.
Can the actual clear values of the Data Encryption Keys be viewed by programmers or others?
Crypto Complete allows an organization to specify (at the policy level) if the clear values of the Data Encryption Keys can be viewed/exported. By default, these Key values cannot be viewed or exported, in which they will remain encrypted within the Key Stores.
Will the Data Encryption Keys be protected (encrypted) with Master Keys? If so, how will you control who can create and manage Master Keys?
Crypto Complete encrypts Data Encryption Keys using Master Keys. Up to 8 Master Keys can be created per environment. An organization can indicate which users (Key Officers) are authorized to create and manage Master Keys.
How will audit trails be generated when Keys are created, changed, etc?
Crypto Complete automatically creates audit log entries when Keys are created, changed and deleted. The audit log entries are stored in an IBM journal file and cannot be modified. Audit reports can be generated by user, date/time range and audit type.
How easy will it be to rotate (change) Data Encryption Keys? Will existing data have to be re-encrypted?
Crypto Complete allows an organization to rotate Data Encryption Keys at any time without having to change application source code and without having to re-encrypt existing data.
How will you recover the Data Encryption Keys in a disaster recovery situation?
Crypto Complete stores the Data Encryption Keys within Key Stores, which are validation list objects on the system. An organization should save these objects as part of their normal backups and restore them in a disaster recovery situation.
Data Encryption and Integrity
Will field sizes have to be expanded to store the encrypted values?
With Crypto Complete, in most cases an organization will not have to expand their field sizes to store the encrypted values. If the field (to encrypt) is alphanumeric and is divisible by 16 or 24, then Crypto Complete allows you to store the encrypted values within the existing field. Otherwise, Crypto Complete can store the encrypted values into a separate external file, which it will create and manage for you automatically.
Will numeric field types have to be changed to alpha types in order to store the encrypted values?
Crypto Complete can encrypt numeric fields and store the encrypted values into a separate external file, which it will create and manage for you automatically. This allows you to not have to change numeric field types to alpha.
Which programs will have to be modified to encrypt the field values?
Crypto Complete can automatically encrypt the field values when they are added or changed in the file, without requiring an organization to change existing programs. This is accomplished through the use of efficient database SQL triggers which automatically capture any inserts or updates of the field.
How will you control which users can encrypt and decrypt data?
In Crypto Complete, users can encrypt or decrypt data only if they are authorized to the Key Store objects which contain the requested Data Encryption Keys. The Key Stores can be authorized by individual user ids, group profiles and authorization lists.
How will you encrypt data that is entered through database utilities (i.e. DFU)?
The SQL trigger approach in Crypto Complete will automatically encrypt field values which are inserted or updated in the file. The triggers will capture and encrypt data that is entered through any application, database utility and outside sources (i.e. JDBC and ODBC).
How will you ensure the data is encrypted properly so it can be decrypted by authorized users?
Crypto Complete is a proven solution that is used in numerous mission-critical production environments. If the Crypto Complete documentation is followed properly by the organization, then the data can be decrypted by authorized users.
How will audit trails be generated when sensitive data is decrypted?
- When any Key Policy settings are changed
- When Key Officers are added, changed or removed
- When Master Encryption Keys (MEKs) are created
- When Key Stores are created or modified
- When Data Encryption Keys (DEKs) are created, changed, exported or deleted
- When Field Encryption Registry entries are added, changed, removed, activated or deactivated
- When any functions are denied due to improper authority
- When data is encrypted or decrypted with a Key that requires logging of those events
The audit log entries are stored in an IBM journal file and cannot be modified. Audit reports can be generated by user, date/time range and audit type.
How would your organization recover Keys in a disaster recovery situation?
Crypto Complete includes easy-to-follow detailed documentation on how to properly backup and restore Keys for disaster recovery. Documentation is also provided on how to replicate Keys to high-availability (HA) systems.
If you ever need to encrypt another field in the future, how easy will it be to implement?
Crypto Complete’s innovative Field Encryption Registry allows authorized users to quickly specify the fields to encrypt within their database files. For each field entered into the Registry, the user can specify the field name, database file name, encryption Key and algorithm, and if SQL triggers should be used to automatically encrypt the field values. Additional fields can be added to the Registry at any time in the future.
How easy will it be to create additional Keys and change Keys in the future?
Crypto Complete’s flexible Key Management solution allows authorized users to create additional Keys and change existing Key attributes as needed. New Keys can be specified for encrypting new fields or the Keys can be rotated for existing fields at any time.
Will documentation exist on how the encryption solution is implemented so other programmers can maintain the solution?
Crypto Complete includes both a comprehensive Users Guide and Programmers Guide. The Users Guide provides detailed instructions on how to utilize Crypto Complete’s Key Management and Field Registry menus and commands. This guide includes a “Getting Started” section along with helpful diagrams and a Q&A section. Each command parameter also has comprehensive on-line help text.
Crypto Complete’s Programmers Guide provides documentation on how to properly use Crypto Complete’s APIs with program examples. Source code examples are also included in the Crypto Complete library.
Linoma’s support staff can be called with any questions or issues. Also, customers can view Linoma’s on-line support forum for Crypto Complete.
If another field needs to be encrypted in the future, will documentation exist on how a programmer can properly implement the encryption (and decryption) for that field?
Crypto Complete’s Users Guide contains detailed documentation on how to set up fields for encryption in the Field Encryption Registry. The Programmers Guide includes instructions and examples of how to decrypt fields from within applications.
Will your management be confident that the solution complies with industry standards for proper key management and protection of sensitive data?
Crypto Complete was designed to offer the best possible key management and data protection possible for the System i. The design was reviewed by leading industry experts in this field and has passed data security audits.
Would your solution comply with sections 3.4, 3.5 and 3.6 of the PCI Data Security Standard 1.1?
Sections 3.4, 3.5 and 3.6 of the PCI Standard contain the requirements for protecting credit card information and implementing effective key management. A whitepaper is available from Linoma Software which contains the wording of these section requirements along with documentation on how Crypto Complete satisfies each requirement.
Would your encryption solution pass a PCI audit?
The Crypto Complete solution is implemented at organizations which have undergone and passed PCI audits. You are welcome to talk to Linoma’s reference accounts using Crypto Complete.
Operating System Upgrades
Would your encryption solution be compatible with future releases of the Operating System (OS)?
Linoma Software is in IBM’s Developers Program, which allows us to receive pre-releases of the OS from IBM. This allows us to test all of our products, including Crypto Complete, with these new OS releases before our customers upgrade.
If any changes are required by Linoma to make a product compatible with a new IBM OS release, the product updates will be issued to customers (whom are on maintenance) before the new OS release ships.
Investment / Costs
How many hours will be required for your programmers to become knowledgeable about encryption technologies, proper key management, IBM’s APIs, etc?
How many hours would be required to change all applications needed to encrypt the field values?
How many hours would be required to test and document all the application changes?
Considering the hours needed to invest, how much will the custom encryption solution ultimately cost to build?
If the custom solution is not implemented correctly, what are the risks and potential liabilities to the organization?
Based on the extensive time and costs to implement a custom encryption solution, as well as the potentially high risks and liabilities if not implemented correctly, many organizations choose instead to purchase a proven encryption solution like "Crypto Complete".