Customer Success - A Government Security Agency
0 likes153 views
A government border control agency needed to encrypt sensitive personal data from its border control intelligence system to comply with privacy laws. The agency implemented Bloombase's Spitfire StoreSafe and KeyCastle solutions to encrypt data at rest without changing the existing system or workflow. This provided encryption of data in the storage area network, databases, reports, and backups while maintaining system performance.
Customer Success - A Government Security Agency
- 1. CUSTOMER SPOTLIGHT Bloombase® Spitfire StoreSafe™ Storage Security Server A Government Bloombase® Spitfire KeyCastle™ Key Management Server Border Control Agency Government organization secures privacy of sensitive personal border con- trol data of a data warehouse system using Bloombase® Spitfire StoreSafe™ storage encryption and Bloombase® Spitfire KeyCastle™ key management security solution AT A GLANCE ABOUT THE CUSTOMER WHY BLOOMBASE SOLUTIONS • Government agency controlling • Enabled customer to leverage exist- border entrance of people and issue ing hardware and software of personal identification and travel • Provided comprehensive key and documents encrypted storage management • Employees: More than 12,000 • Platform and application neutral • Scalable and extensible SUMMARY • Custom cipher support To protect privacy of sensitive personal IMPLEMENTATION HIGHLIGHTS information of an off-the-shelf business intelligence and reporting system Was first organization in public sector according to regional personal data to institute an end-to-end persistence privacy laws data protection from data extraction, transform and load (ETL), data ware- KEY CHALLENGES housing, reporting, backup and archi- val • No change to end user, administrator and operator workflow KEY BENEFITS • No significant degradation of system throughput and response • Immediate information privacy regu- Overview • Off-the-shelf data warehouse system latory compliance cannot be altered • Transparent deployment A border control government organization runs an intelligence • No coding required • High encryption performance • No hardware, system and application system to keep track of entrance and exit of people for collection • No system response degradation change • Highly available and fault-tolerant and analysis of movement habits of travelers. • Deployment and data migration can be committed in phases EXISTING ENVIRONMENT According to personal data privacy laws, such intelligence infor- • Supports storage media including mation are under strict control and required to be secured by SCSI disks, magnetic tapes and virtual • No data encryption in place strong encryption for all at-rest data on storage media including tape libraries (VTL) • Physical isolation of system hardware • Protects cooked and uncooked/raw hard disks, optical disks, magnetic tapes, etc. in data center filesystems with a single solution Working under tight time constraints, the customer is required to HARDWARE PROJECT OBJECTIVES implement effective data protection measures of the system, • IBM p-Series servers which has been in operation for 5 years, in within 3 months’ time. • Encrypts dynamic database data • EMC Symmetrix SAN With stringent constraints including no change to system infra- stored in storage area network (SAN) • Brocade FC SAN switch structure and user/operator workflow as well as the requirement and backup tapes • IBM tape library • Protects filesystem objects, relational to maintain the same level of service (system response, availabil- • HP Integrity Server databases, uncooked volume and ity, capacity, etc), end customer selected Bloombase® Spitfire backup media StoreSafe™ enterprise storage security server to provide on-the- OPERATING SYSTEM • Interoperable with existing informa- fly encryption of their sensitive persistence data and Bloombase® tion lifecycle management (ILM) Spitfire KeyCastle™ key management server for full lifecycle • IBM AIX 5.3 system for automatic data persistence • Redhat Enterprise Linux 4 management of their cryptographic keys. SOLUTIONS AND SERVICES SOFTWARE • Spitfire KeyCastle™ key management An Ambitious Trial Project • IBM OnDemand Content Manager server • IBM DB2 Universal Database The business intelligence system has been in operation for more • Spitfire StoreSafe™ enterprise storage • IBM Tivoli Storage Manager (TSM) security server than 5 years. Like many core business operations systems in the IT infrastructure of this customer, the system is mission-critical.
- 2. As a pilot project for data protection, the encryp- dated or less frequently accessed reports to tape staging storage and the report repository. tion solution has to prove fault-tolerant, highly libraries for archival, freeing up fast disk storage available and disaster-recovery ready. space for new and frequently accessed reports. To customer’s biggest frustration, their proof-of- On the other hand, if user retrieves a report that concept tests on filesystem encryption products Border traveler information are submitted to the OnDemand finds archived, TSM will be triggered did not work out either. Yes, filesystem encryp- system timely around the clock which contains to restore the report contents from backup tapes tion works fine with incoming data staging sensitive personal information including travel- back to SAN disk for user’s retrieval. storage, database files and log files, however, ers’ names, personal identification numbers filesystem encryption failed to work with the such as identity card numbers, visa numbers report repository where the filesystem is un- and passport identifiers etc., date and time of cooked, in other words, raw or no filesystem. gate-in and gate-out, etc. Such information are collected from various border control units from Customer did not prefer extra software to be within the whole state and temporarily stored at "Bloombase Spitfire™ enterprise installed on their AIX application servers due to a staging storage area of the system. An extrac- security solution brings you key their server capacity and audit requirements. tion-transform-load (ETL) worker processes the management, file protection, The average processing time for report genera- staging area for incoming traveler information. tion has to be kept within 30 seconds. The ETL worker triggers a content filter to scan database protection, raw disk for potential hazards. Viral and malicious con- encryption and backup encryp- tents are rejected and moved to parking area for Turning Challenge into Op- tion in a single solution at low examination or disposal. Clean files are parsed, contents extracted and loaded into a relation total cost of ownership (TCO)” portunity database system powered by IBM DB2 Universal Apart from support issues of various encryption Database System. products end customer considered, there were a number of issues remained unsolved: an all-in- End users of the system define reports to be run Thanks to IBM OnDemand Content Manager, DB2 one cryptographic key management system, a and at what timely manner via IBM OnDemand UDB and TSM, the intelligence system works scalable encryption platform that can scale up Content Manager management console. When- seamlessly and at the best performance one easily as to cope with growing needs of the ever an analysis task is executed in the system, could get from an IBM Power platform fueled system, a cryptographic platform that supports a a report file will be generated and stored at an with EMC Symmetrix SAN. However, when talk- rich set of ciphers and in some special occa- uncooked storage area managed by IBM Tivoli ing about data protection, customer faces their sions, customer’s proprietary cipher algorithms, Storage Manager (TSM). IBM OnDemand Content first challenge. The application is built on off-the last but not least, platform independence and Manager links the analysis task to the physical -shelf products that cannot be altered, therefore, application independence to support potential disk location(s) where the output reports are there is no way one can introduce data crypto- future change of platform. stored. On user’s retrieval of analysis results, graphic processing at the application level. Content Manager reads the physical EMC stor- End customer finally turned to Bloombase® age area network (SAN) disk and presents the Customer hit their second challenge when they Spitfire™ enterprise security solution installed information to users in a readable form, or as stepped backward and considered database onto HP Integrity Servers to meet their stringent files to be exported for further analysis or report- encryption. Despite database encryption’s security requirements. ing use. difficulty on deployment and the vast amount of database objects to get encryption configured, Without the need to alter any of end users’ work- IBM TSM manages information lifecycle of the database encryption products cannot solve data flow, application and hardware platform, Spitfire storage area by automatically offloading out- privacy problems on the incoming sensitive StoreSafe™ virtualizes incoming data staging storage, DB2 data file repository and OnDemand Content Manager report repository as Spitfire StoreSafe™ file-based and block-based virtual storages. Spitfire StoreSafe™ virtual storage offers a secure virtual plain updateable view of the their encrypted contents replica physically persisted on disks. Thus, system and application remain unchanged and access Spitfire StoreSafe™ secured storage contents as if they are normal files and disks, but in reality, the sensitive data are secured by strong encryption. Only when OnDemand Content Manager and DB2 UDB request for storage contents will trigger Spitfire StoreSafe™ to decrypt the ciphered sensitive data and when data are stored by Content Man- ager or database records committed to DB2 will trigger Spitfire StoreSafe™ to encrypt the sensi- tive contents before they are physically written to EMC SAN disk. Spitfire StoreSafe™ enabled the customer to migrate their whole data storage in phases minimizing cutover windows and thus service availability. TSM managed encrypted raw volume as normal volumes without change with benefit that data archived to backup tapes are in their original secure ciphered form. End customer enjoyed end-to-end data privacy using Bloombase Spitfire™ security platform meeting the toughest national data security requirements at low total cost of ownership (TCO). © 2006 Bloombase Technologies. All rights reserved. Bloombase, Spitfire, Keyparc, StoreSafe, and other Bloombase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Bloombase Technologies Ltd in Hong Kong, China and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. The information contained herein is subject to change without notice. The only warranties for Bloombase products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Bloombase shall not be liable for technical or editorial errors or omissions contained herein. 4AA0-0696EEP 09/2006