Retrofitting data protection into existing applications
A transparent data protection solution is often the only way to retrofit data protection into existing applications. Data is protected on ingress/egress to the application without requiring any application changes. As such, it is also the easiest data protection solution to implement and deploy. The implementation consists of 3 major steps:
- Designing the appropriate data protection model
- Defining the level of access that each application will have to different types of data
- Configuring the transparent data protection solution.
On the HPE Nonstop server, transparent data protection is commonly implemented through I/O intercept libraries. Multiple data protection solutions are available. In this article we look more closely into the HPE SecureData Transparent Data Protection solution and how it enables and facilitates enterprise wide data protection.
Data-centric Security refers to a type of data security where all sensitive data is protected all of the time except when used by authorized applications that have the necessary access rights to see only the plain data they are explicitly authorized to see. This level of data protection can only be achieved if data is protected at the field level (not volume or other macro level) from the moment of first time entry/creation and throughout the data lifetime.
Data-centric Security is necessary for achieving data protection in any information systems that consists of multiple processing entities collaborating while using parts or elements of the data. This is illustrated in Figure 1.
Any insular data protection systems will expose vulnerabilities as they introduce points at which the data is not protected. Data may be revealed before being channel protected (for instance, with SSL encryption) or at the other end of the connection, before it is encrypted for the next hop. Data-centric security protects the sensitive data throughout the enterprise, regardless of the underlying transport or storage mechanism.
Enterprise Data Protection Challenges
Enterprise-wide data protection invariably relies on data-centric security. Within a large enterprise the number of platforms, systems, and applications needing access to enterprise data is frequently very large. This creates two unique challenges:
- The availability of the data protection solution on ALL the enterprise platforms. This includes: HPE NonStop, z/OS, HP-UX, Solaris, AIX, various versions of Windows, Linux, various web platforms, embedded and mobile platforms, etc. A large variety of applications on those platforms have to obey the same data-access and data protection policies.
- Any data protection solution requires high-availability and high-performance access to the protection artifacts, be it encryption keys, a tokenization database or a tokenization table. Typically, encryption keys are stored in key vaults which need to be synchronized and replicated for high availability access. This significantly complicates the data protection solution for several reasons caused by the need to have all keys being stored in all key vaults used physically. This may amount to millions of keys being replicated across vaults which creates challenges such as:
- distributed state synchronization
- resource availability
- high availability
- and performance
HPE SecureData Transparent Data protection meets these challenges with the following technologies:
- Stateless key management which allows the elimination of key vaults.
- Standards based format-preserving encryption.
- Standards based stateless tokenization.
- Enterprise-wide protection format enforcement.
- State-of-the art HPE Nonstop transparent data protection using I/O Intercept.
The remainder of this articles provides an overview of these technologies in the context of the overall solution.
Stateless Key Management
HPE Stateless Key Management uses the concept of canonical user identities in conjunction with crypto district base derivation keys to remove the need for storing keys in key vaults and instead deriving keys on demand just-in-time for use by protect/reveal operations of authorized entities.
Management consoles of key servers allow creation of crypto districts which include creation of base keys for different crypto algorithms supported such as AES, FFX, TDES, IBE BB, IBE BF, etc.1 These base keys are created on an HSM utilized by the key server. The base key can only be used in an HSM associated with the key server. Once the key server receives a request to derive a key for an identity by a client, it authenticates the client and then requests the HSM to derive the client key.
The only key related state in the HPE Stateless Key Management system are the sets of base keys for the configured crypto districts. This state is manually replicated in minutes at the time key servers are first configured which allows the simple high availability key management architecture.
HPE Stateless Key Management eliminates the issues associated with statefull key management using key vaults such as distributed state synchronization, key replication resource, performance, and security issues due to the need to synchronize key stores across key vaults.
Standards Based HPE Format-Preserving Encryption and Tokenization
The use of standards based cryptography is essential. Open standards are vendor agnostic and remove risks. Non-standard and unpublished crypto has security and liability implications, e.g. organizations cannot claim safe harbor exceptions in the case of a breach.
HPE Format-Preserving Encryption is standardized as a mode of AES in NIST SP800-38G. HPE Security – Data Security contributed the framework to all modes of Format-preserving Feistel-based Encryption (FFX) – X indicates that the framework can be instantiated in different ways.
HPE’s Secure Stateless Tokenization (SST) falls under the ANSI X9.119 part 2 standard, which is still in draft status.
Enterprise-wide Policy Based Security
HPE SecureData Enterprise Policy management system enables fine-grained data-protection and controlled data-access across the enterprise. It also enables application of uniform security policies across the enterprise, application of key-management policies across the enterprise such as:
- key rollover
- key revocation
- adaptability to connectivity issues
Distributed entities in a heterogeneous environment use policy information to protect/reveal a data item without having to synchronize with each other.
All HPE SecureData clients pull the clientPolicy.xml policy information from the HPE SecureData Policy Server which is hosted on the same systems as the key server.
The clientPolicy.xml needs to be loaded by any native client before any protection/reveal operations can be performed. The policy defines:
- crypto parameters, policy, and key hard/soft refresh settings which enable a highly-available solution configured to sustain maximum equipment replacement timeframes,
- default values for parameters such as the default identity time stamp and default crypto districts
- key number tables and protection format definitions
HPE NonStop Transparent Data Protection Using I/O Intercepts
HPE SecureData Transparent Data Protection for HPE NonStop is based on XYPRO’s XYGATE Data Protection (XDP) product.
XDP was designed and engineered to integrate with HPE SecureData Enterprise on HPE NonStop. XDP integrates seamlessly with HPE SecureData and allows for simple, comprehensive data protection with minimal impact on your applications and databases.
Within HPE SecureData Transparent Data Protection, the XDP intercept seamlessly provides both HPE SecureData Payments and HPE SecureData Enterprise functionality. This deep integration includes configurability of various fine-tuning mechanisms, such as:
- Persistent and non-persistent caching which enables various HPE Nonstop standalone modes in case of failures, at cold-start, or for performance reasons;
- Entropy-source selection for use in SSL and otherwise;
- Use of payments and enterprise formats;
- Field-level authorization group mapping to different HPE SecureData crypto districts with distinct authentication/authorization rules;
- Field-level protection mapping to protection servers.
The intercept itself supports various modes of the Enscribe native hierarchical database as well as SQL databases with sensitivity to peculiarities of in place-substitution of the role of various record filed values.
Transparent data protection closes the data protection gap in cases where API level protection is not an option. It also provides the fastest and easiest data protection integration for many use cases. HPE SecureData Transparent Data Protection is unique in its ability to provide a surprising simple, complete data-centric solution for any size system or enterprise.
Dr. Branislav Meandzija is a Technology Leader at HPE Security – Data Security. Branislav joined HP/HPE in 2015 as part of the Voltage Security Inc. acquisition. At Voltage since 2008, he was the engineering manager responsible for all of SecureData from 2008 through 2011, and Core Crypto, SecureData Payments and all SecureData NonStop platform engineering efforts from 20011 to 2015. Since 2015 Branislav spearheads the technology side of different Data Security projects including the HPE SecureData Transparent Data Protection effort on NonStop.
Andrew Price is VP of Technology at XYPRO. He joined XYPRO in 2011, and has over 25 years’ experience in the mission-critical IT industry. Prior to joining XYPRO, Andrew was with ACI Worldwide for over 11 years, where he held roles in Product Management, Development and Architecture. At XYPRO, Andrew has engineering and product management responsibility for the XYGATE suite of products, ensuring that they continue to meet XYGATE users’ stringent requirements for security and compliance on the HP NonStop. He can be reached at firstname.lastname@example.org
1 AES stands for Advanced Encryption Standard; FFX stands for Format-preserving, Feistel-based Modes of AES- both AES and FFX are NIST standards; TDES stands for Triple Data Encryption Standard and is an ANSI standard; IBE stands for Identity Based Encryption, both IBE BB and BF are ISO standards