Wednesday, October 29, 2008

Encryption: All your (data) base are NOT belong to us!

If you were growing up during the personal computer boom you may notice that the title of this post is a joke with another joke. For details on that check the Wikipedia or the flash animation.
This is just a pretext to introduce a very serious subject. You probably know that Informix IDS can encrypt column data, but you may also know that it has some disadvantages (you cannot index encrypted data, you may have to change the applications etc.). There's nothing wrong with column encryption, but as with most of the features is has advantages and disadvantages.

Another option for encryption is to encrypt the files containing the data (chunks in IDS language). This brings up several questions:

  • Performance
    If you're doing data encryption you're consuming CPU cycles
  • Ease of use
    Is it transparent to the database? And to the application?
  • Privilege users access
    Can root work around the encryption? Usually, being root is like being God...
IBM has a solution for these kind of transparent low level encryption. It's a partnership with Vormetric which resulted in a product called IBM Database Encryption Expert. It tries to solve all the questions above. It's fast and light, meaning you won't have too much performance impact, it's easy to use and configure, through an administrative console, and you can stop the root user from accessing your encrypted data files.

IBM has just released fixpack 1.1.3 of this product, which is the first version to support IDS (versions 11.10FC2 and 11.50). You can get more info about it at the product page ( http://www.ibm.com/software/data/db2imstools/database-encryption-expert/ ).
Up to now, it was certified for use with DB2, so it's probable that you find several references of the two products together. One of them which I find interesting, is a video showing it working with DB2, by Belal Tassi, a colleague from IBM Information Management:




As you can see from the product page, the fixpack Readme and the video above, it's transparent for the database, for the application and it can be setup to be safe even from root. It's also able to encrypt backups (it would be a breach of security to have your data encrypted and keep your backups without encryption). Hint: Version 11.10 introduced backup and restore filters...
The platforms supported at the moment are:
  • AIX (64-bit):
  • Linux (64-bit): Red Hat Advanced Server 4.0 Update 4
  • Solaris 9
  • Solaris 10 update 2
  • Windows

Supported file systems

  • Windows: NTFS
  • AIX: JFS, JFS2, NFS, VxFS
  • Solaris: UFS, NFS, VxFS
  • RedHat: EXT3, NFS, VxFS
This product can be a solution for some compliance requirements, specially for companies who have to comply with Payment Card Industry Data Security Standards (PCI DSS), or simply for paranoid DBAs

2 comments:

ingeh said...

The manual that describes how to configure Encryption Expert with IDS is here: http://publib.boulder.ibm.com/epubs/pdf/eetuga13.pdf.
(from Inge Halilovic, ingeh@us.ibm.com)

Clarence said...

Recently I downloaded the evaluation software for Informix dynamic server enterprise 11.5. I was expected that the excalibur text search is included but it is not included. Do you think there is available download for excalibur for evaluation?