If your organization is thinking about using (or is using) IBM's Cryptographic APIs (e.g. QC3ENCDT, Qc3EncryptData) for encrypting database fields, then read on...
We believe the IBM i operating system does not offer an out-of-the-box solution for database field encryption, especially considering the requirements most organizations face for integrated key management, controls and audit trails. Therefore, organizations must decide if they should attempt to build their own custom encryption solution (around IBM's APIs) or acquire a third-party product to meet their needs.
Your programmers may think that building a custom encryption solution using IBM's APIs would be a "fun challenge." However, the programming time and costs can become significant. Furthermore, if a custom encryption solution is not implemented correctly, the potential liabilities can be extremely high for an organization.
Listed below are the issues and questions that need to be addressed by organizations which are considering building their own custom solution.
Building a Custom Solution
If an organization is considering building their own custom encryption solution, they would first have to become very knowledgeable about any regulations and PCI requirements which govern their organization. Their development staff would also have to learn how to properly implement encryption/decryption technologies, as well as become an expert in proper key management and security/auditing requirements.
Organizations which have tried to implement their own custom encryption solution have experienced a multitude of issues and shortcomings, some of which are listed below:
- IBM’s encryption APIs have a steep learning curve and can be difficult to implement correctly with the right settings.
- Significant application changes must often be made to call the encryption APIs whenever sensitive data is added or changed.
- Database field definitions often have to be changed to accommodate the resulting encrypted data (i.e., changing field types from numeric to alpha and/or expanding field sizes).
- Sensitive data is not encrypted when entered/changed outside of the applications (i.e., using database utilities like DFU).
- Key management often does not meet the stringent PCI requirements.
- There is a lack of controls on who can create and manage keys.
- Key values are often not properly protected from unauthorized use.
- It is difficult to rotate keys without re-encrypting all existing data.
- Audit trails are typically non-existent or limited.
- In-house programmers know too much about the custom solution, increasing risk to the organization if the programmers leave the company.
- A custom solution typically does not address enterprise needs.
The significant amount of time and money that would need to be expended for the development, testing and documentation of a custom encryption solution is not practical for most organizations. A custom solution may also not be worth the liability implications to the organization if it is not implemented properly and does not meet regulatorty requirements.
Strong Encryption and Key Management with Crypto Complete
Crypto Complete includes the comprehensive features needed to satisfy stringent requirements for encryption and key management. This proven solution is used in mission-critical environments to protect sensitive data on IBM i (iSeries), as well as data from distributed systems. Organizations around the world depend on Crypto Complete to help secure confidential information from both external hackers and unauthorized internal users.
Contrary to popular belief, IBM i database encryption doesn't need to be difficult or time consuming. The design of Crypto Complete allows organizations to implement encryption quickly using intuitive screens and commands, while providing a high degree of protection. Every effort has been made in Crypto Complete to minimize the application changes needed, allowing an organization to implement encryption successfully for less time and money.