160 likes | 296 Views
ASE130 Privacy Please A Case Study Of The Encryption Of Data-At-Rest. Dave Ebbels Senior Systems Consultant, Sybase, Inc. debbels@sybase.com / 973-537-5721 August 7, 2003. THRS. Background. The business of Total HR Solutions.
E N D
ASE130 Privacy PleaseA Case Study Of The Encryption Of Data-At-Rest Dave EbbelsSenior Systems Consultant, Sybase, Inc.debbels@sybase.com / 973-537-5721August 7, 2003
THRS Background The business of Total HR Solutions. • Administer Medical/Dental, Pension, and Retirement Savings plans of clients; • Supply client call centers and customer support; • Provide the IT infrastructure.
Environment Total HR Solutions Front-End Client options: • Web-based interface; • Interactive Voice Response (IVR) system; • Customer Service Representatives at the client’s call center. Back-End • Production data is stored in Sybase ASE12.5; • Each client is given their own ASE database(s); • Common structure applied to each client database; • All data is replicated, via Sybase Replication Server, to a remote location for DR, HA, and DSS.
Situation Total HR Solutions Overview In order to win the business of a major credit card company, Total HR Solutions was required to provide data-protection for the credit card company’s employee data by encrypting it within the database.
Criteria For Success Total HR Solutions • Provide a completely secure, encrypted environment; • Prevent unauthorized access to employee data; • Ensure complete confidentiality and protection from identity theft; • Maintain an acceptable level of response time. Requirements
Solution Total HR Solutions Adaptive Server Enterprise + Secure.Data Server
Secure.Data, What Is It? Secure.Data Server: • Secure.Data Server performs all processing pertaining to the encryption of data; • A middleware component, built on Sybase’s OpenServer* platform; • Removes the connection between the users and the physical data; • Utilizes ASE’s Component Integration Services (CIS) to create user-facing proxy tables; • Implemented as a Sybase Specialty Data Store (SDS). * SMP-enabled version of OpenServer recommended.
About CIS and SDS Component Integration Services and Specialty Data Stores • Distributed data access across heterogeneous data sources. • Global catalog comprising metadata from each data source. • Manages data that reside outside a traditional database. • Centralized management and integration of distributed content. CIS support for External File Systems
Select * from TabA Where name = ‘Jim’ Select * from TabA pty Where name = ‘Jim’ Logon Check access Ct-lib Optimizer CIS Cs-lib Decrypting/ Encrypting If access OK Logon OK Access OK Cs-lib Ct-lib Select * from TabA pty Where name = ‘0xA432D18542E25901’ How Secure.Data Server Works… ASE and Secure.Data Server Client Application Proxy Table TabA Secure Server TabA pty ASE Engine PTY SDS
Performance Considerations ASE and Secure.Data Server • Only the items that require explicit protection should be encrypted. • Encrypting primary keys can have a significant impact on performance. • Primary keys should be non-intelligent and non-identifying (no encryption required). • If primary key must be encrypted, avoid using as filter. Encryption and decryption operations require careful design!
Performance Considerations (cont.) ASE and Secure.Data Server Effects of Indexing • Dependency on encrypted indexes can slow processing. • Searches may be seriously degraded by overhead of decrypting. One Alternative: • Create an alternate unique identifier. • Can be stored as unencrypted text. • Required index stored as a separate, encrypted column.
ASE Tuning Recommendations ASE and Secure.Data Server CIS Tuning: • cis rpc handling: must be turned on (i.e. – set to ‘1’); • cis cursor rows: start with 500, then increment; • cis bulk insert array/batch size: start with 500, then increment.
ASE Tuning Recommendations (cont.) ASE and Secure.Data Server Server Engines: • max online engines: based on server capacity. Now dynamic! • runnable process search count: the value of ‘0’. Other: • max network packet size • i/o polling process count
THRS Success! Total HR Solutions: • Secured a lucrative contract with the credit card company; • Provided a completely secure environment; • Enhanced their solution offering for the future!
SDN Presents CodeXchange Share ASE Scripts and Tools • New SDN feature enables community collaboration • Download tools created by Sybase • Leverage contributions of others to help administer and monitor your servers • Contribute your own code or start your own collaborative project with input from other ASE experts • Any SDN member can participate • Log in using your MySybase account via SDN • Join the collaboration already underway • http://ase.codexchange.sybase.com or via SDN at www.sybase.com/developer