EncryptRIGHT Use Cases
EncryptRIGHT®’s flexibility makes it well-suited for a wide variety of use cases from the simple to the complex, and from encryption to central key management to tokenization. Check out this sampling of uses cases that address your needs:
Key Management Use Case
EncryptRIGHT® was selected to replace an outdated system that failed an internal audit due to inadequate key management. The audit identified a glaring need to implement key management best practices such as separation of roles and duties and separate storage of keys and encrypted data.
Before EncryptRIGHT was implemented, the previous solution was utilizing an older and obsolete encryption technology. The older solution lacked the necessary encryption key management needed to achieve compliance. After consultation, testing and proof of concept, EncryptRIGHT was installed on seven IBM AIX servers, one each for primary key management, redundant key management (disaster recovery) and development and four application servers for customer support. At the start of the project, EncryptRIGHT was set up to decrypt existing archived data (1.4 billion records) using their previously used Triple DES keys and re-encrypt the clear text data using the EncryptRIGHT AES256 key size option.
The initial requirement was to use AES128; however, during testing and proof of concept, Prime Factors helped the project leader determine that using AES256 added higher level of data security and did not impact performance.
The EncryptRIGHT solution lets customer support technicians access decrypted files and data, but not the keys or data security policies. Proper user management processes were implemented to separate the data owner and key custodians; key management became the responsibility of the information security encryption team, and key management functions are now performed on a scheduled basis.
Central key management is configured to have a key value generated and archived daily. In compliance with internal security policies, keys are archived for 30 days and then deleted. EncryptRIGHT has a scheduler to manage the keys as required. All key management functions and key storage are performed on the primary server, keeping the keys and sensitive data separate.
After the archived data was converted from Triple DES to AES256, EncryptRIGHT was configured to encrypt sensitive customer records at the field level prior to transmission to an outside company. Thus third-parties’ employees can’t see the encrypted fields while they use the data to complete evaluations and surveys.
Each day, EncryptRIGHT encrypts hundreds of thousands of records ensuring sensitive customer data is secured prior to transmission. And when the company returns the data and reports, the internal support team members have the functionality to decrypt the data as needed.
Multiple use cases at a large financial institution
Like many large financial institutions, this one has many projects that require data encryption, tokenization and key management. Flexibility was a key selection criterion because project requirements range from simple to complex. EncryptRIGHT was selected because it can accommodate multiple use cases; see the five projects below that have already been implemented; many more are on the drawing board.
Here are some of the high-level requirements that EncryptRIGHT met:
- PCI data encryption and key management compliance
- Multiple-platform support
- Comprehensive – data encryption, tokenization and key management in one package
- Support for field-level, file-level and application-level encryption
- Transparent database encryption (TDE)
- An easy-to-use API for large, sophisticated requirements
- A set-up guide for small to medium sized projects that don’t require extensive technical resources
Here is a representative sampling of the projects implemented with EncryptRIGHT:
Key management: Internal auditors identified a need to significantly improve key management such as separation of roles and duties and separate storage of keys and encrypted data. Access controls have been instituted to provide the separation of duties between programmers and the IT security/encryption team. The programmers don’t know the key management process and the IT security team doesn’t know the process for using API’s.
Protecting IDs and PINs: EncryptRIGHT encrypts and decrypts sensitive data utilized in a transactional environment that moves hundreds of millions of dollars a day. EncryptRIGHT is installed on five IBM AIX servers and five Microsoft Windows 2008 servers, and protects sensitive transaction IDs and PIN numbers with field-level encryption.
Key management for SQL and TDE encryption processes: EncryptRIGHT provides external key management for existing SQL encryption processes, and generates/creates new TDE (transparent database encryption) encryption processes. Key management is always performed by EncryptRIGHT, the encryption processes for TDE are shared between EncryptRIGHT and the database.
Transparent Database Encryption (TDE) for SQL, Oracle, Sybase and DB2: Using EncryptRIGHT’s API and protocols, the development team implemented application level encryption, tokenization and key management to secure sensitive data in four databases. A dedicated SQL Server database manages the keys and tokens separate from the sensitive and secured data.
A simple project for the data backup team: The goal was to avoid the high cost and time consuming process of upgrading backup hardware, and to meet the regulatory requirement to encrypt backup media before it is shipped offsite or stored onsite. Each site has its own EncryptRIGHT Server to manage keys and policies. Using the guide-me wizard to implement file level encryption, image and data files with sensitive customer information are encrypted prior to archival. This is done on a configured and scheduled basis for recovery purposes.