Creating an Integrated, Optimized, and Secure Enterprise Data Platform: IBM PureData System for Transactions with SafeNet s ProtectDB and DataSecure
Table of contents 1. Data, Data, Everywhere... 3 2. Introduction to IBM PureData System... 3 3. IBM PureData System for Transactions... 4 4. SafeNet ProtectDB with DataSecure Solution... 6 5. How ProtectDB Works... 7 6. Integrating IBM PureData System for Transactions with ProtectDB... 7 6.1. Installing ProtectDB... 8 6.2. Data Migration/Rotation process... 8 7. Validation Test... 10 8. Conclusion... 11 9. References... 11 Copyright IBM Corp. 2013. All Rights Reserved. Page 2 of 12
1. Data, Data, Everywhere In today s world, the amount of data being captured is ever growing. Hence there is a need for systems capable of handling this data growth in an efficient manner and provide superior performance. Systems like these represent a huge opportunity for organizations to be able to mine large amounts of data from many different sources with the goal of making better decisions and making them significantly faster. But with large amounts of data in environments like these, there can be a major security challenge: namely, that some of this data will likely be sensitive information subject to compliance or privacy regulations. Examples include transactional data covered by regulations such as PCI DSS, or personal health care information covered by HIPAA, or private company information covered by internal mandates. Solutions such as IBM PureData System are needed for the speed, go-live time, and flexibility that many organizations require. Combining PureData System with encryption technology is needed to address the security issues. However, not all encryption technologies are created equal. Making sure the encryption provides top security is a must; but almost as important, it must be easy to implement and set up. This paper will discuss how SafeNet DataSecure encryption with the ProtectDB plug-in can protect data stored on IBM PureData System. Overviews of the products are provided, as well as a general guide to interoperability and validation testing. 2. Introduction to IBM PureData System IBM has introduced a new class of expert integrated systems to help reduce the go-live time for building new systems. These systems come with integrated expertise that combines the flexibility of general purpose system, elasticity of cloud and the simplicity of an appliance. These systems will change both the experience and economics of IT. PureData System is part of this family of expert integrated systems and are ideal for systems that need an integrated and optimized data platform. These systems are optimized exclusively for data services for both transactional as well as analytics applications. IBM PureData System simplifies deployment, as they are factory integrated to be data load ready in a matter of hours. They provide an integrated management and support which simplifies system maintenance to a new level. Copyright IBM Corp. 2013. All Rights Reserved. Page 3 of 12
PureData System comes in four flavors based on three different types of workloads they are optimized for. 1. PureData System for Transactions Delivers superior database scaling technology that is integrated and optimized for transactional applications. 2. PureData System for Analytics Offers greater concurrency and throughput based on the next generation Netezza technology. 3. PureData System for Operational Analytics Delivers powerful operational analytics capabilities with continuous ingest of data to enable real time decision making. 4. PureData System for Hadoop Simplifies the complexities of deploying big data in the enterprise. It accelerates Hadoop analytics and augments the data warehouse with a queryable archive. 3. IBM PureData System for Transactions IBM PureData System for Transactions is a fully integrated system which is optimized for delivering superior performance of highly scalable transactional workloads. It is powered by IBM s DB2 database software which has a proven track record of being a consistent leader both in terms of industry benchmarks and in providing higher return on investment as seen by many clients across the world. Specifically, the DB2 purescale feature provides these transactional workload continuous availability, seamless scalability, and application transparency. Figure 1. DB2 purescale Architecture Overview Copyright IBM Corp. 2013. All Rights Reserved. Page 4 of 12
IBM PureData System for Transactions is delivered as a complete hardware, storage, networking and software system, and it can be data load ready in a matter of hours. The introduction of topology patterns and transactional database patterns help rapid deployment of high-scale, highly reliably databases. IBM PureData System for Transactions is capable of handling consolidation of more than one hundred databases on a single system and supports running multiple database versions on the same system. It simplifies system operations and firmware maintenance, which can be carried out without any planned system downtime. IBM PureData System for Transactions has the ability to automate pattern-based deployment of databases which allows new systems to be data load ready in minutes. Patterns are available for various cluster sizes to handle the most typical requirements. Deployment of databases is done as fully active clusters ensuring reliable data availability to applications. The compute and memory resources are assigned to a database in such a way that they can start small and scale up to as much as 30 times, providing elasticity. The system can also grow from a small configuration to a medium configuration, and from a medium configuration to a large configuration with no planned system downtime required. At the core of IBM PureData System for Transactions is the proven IBM DB2 database software. Existing DB2 applications can run on IBM PureData System for Transactions without any changes. The system also supports Oracle based applications written using PL/SQL with minimal change to the code by leveraging DB2 s Oracle compatibility feature. The powerful adaptive compression feature of DB2 provides this system with 10x storage savings further reducing the total cost of ownership and proving higher value to business. This system offers three standard configurations as shown in the table below. Copyright IBM Corp. 2013. All Rights Reserved. Page 5 of 12
Figure 2. IBM PureData System for Transactions Configuration Options The smallest offering is the T1500-96 configuration (also known as a ¼ rack or small configuration), which has 6 compute nodes, each with 16 cores and 256 GB of memory with 18.6 TB of disk space available for use. The T1500-384 configuration (i.e. full rack) has 24 compute nodes consisting of 384 CPU cores and 6.1 TB of memory with 74.4 TB of disk space available for use. This resource allocation is based on the performance and scalability requirements of most typical transactional applications, which has a high demand for computing resource (CPU and memory) but lesser storage requirements compared to analytical systems. IBM PureData System for Transactions has built-in redundancy at all levels, ensuring critical data services are available to your applications all the time. 4. SafeNet ProtectDB with DataSecure Solution SafeNet ProtectDB software delivers powerful database encryption and database protection for the sensitive corporate and customer information stored in databases in the data center. Centralized key management provided with the integrated SafeNet DataSecure solution helps tighten security and simplifies the encryption of data in databases often found in data centers. In addition, with its encryption keys stored in hardware, DataSecure provides strong, trusted security. Working together, ProtectDB with DataSecure help organizations attain the highest level of security available in a commercial database encryption solution. The goal of deploying ProtectDB in conjunction with DataSecure is to provide security by encrypting and decrypting the data flowing into and out of databases. Copyright IBM Corp. 2013. All Rights Reserved. Page 6 of 12
5. How ProtectDB Works ProtectDB encrypts the table at column level through a process called data migration. Data migration is the process of encrypting data, altering existing tables so that they can store the resulting ciphertext, and creating views and triggers so that existing applications can work seamlessly and automatically encrypt new data and decrypt data when needed. For example, after migration, the SQL queries like select, insert, and update will work transparently as in the case of unencrypted table provided access controls succeed. 6. Integrating IBM PureData System for Transactions with ProtectDB ProtectDB Connector DataSecure PureData System for Transactions Figure 3. IBM PureData System for Transaction and SafeNet DataSecure ProtectDB can be easily integrated with PureData System for Transactions with two simple steps. Copyright IBM Corp. 2013. All Rights Reserved. Page 7 of 12
1. ProtectDB must be installed fully (files + Meta database) on any one of the nodes. 2. It must be installed in the files only mode on all the remaining nodes. The ProtectDB.properties file (also known as the properties file) must be configured separately on each node as per the instructions. 6.1. Installing ProtectDB Given below are three simple steps to install ProtectDB on each of the nodes. 1. Log on to the PureData System for Transactions system. 2. Open a command prompt window, and navigate to the directory where the extracted ProtectDB file is placed. Then, navigate to the directory named ProtectDB-DB2. 3. Run the installation script and provide information such as Data secure IP address, logfile path etc. 6.2. Data Migration/Rotation process The existing or new columns of a table can be migrated using DataSecure Management Console. This process is called Data Migration. Given below are steps to perform data migration which enables the selected columns of database tables for encryption. Migration Steps: 1. Add database in DataSecure. Copyright IBM Corp. 2013. All Rights Reserved. Page 8 of 12
2. Map each DataSecure user to the corresponding database user. 3. Add Table to migrate and set the column properties which need to be migrated.. 4. Click Data Migration button to migrate data. After successful migration, the data insertion, selection, and update happen seamlessly to the application. Copyright IBM Corp. 2013. All Rights Reserved. Page 9 of 12
Rotation The key rotation process creates a new column to hold the data encrypted with the new key. Once the key rotation is complete, the column holding the old encrypted data is removed, and the new column is renamed as the old encrypted data column. Rotation Steps 1. Select the table and column for key rotation. 2. Select the new key for rotation. ProtectDB allows online key rotation; e.g., there is no need to take the tables offline during the key rotation process. Select, insert, update, and delete records from the database tables while the migration or key rotation is in progress. 7. Validation Test A validation exercise was carried out to see how easy it is to integrate ProtectDB with PureData System for Transactions. Given below is the list of software used for this validation exercise Software Product Operating System Red Hat Linux 6 Database DB2 10.1 Database Database Performance Monitor Monitoring Database Security ProtectDB DB2 connector 6.3 In addition to the above software, DataSecure appliance version 6.3 is also used for this validation. Copyright IBM Corp. 2013. All Rights Reserved. Page 10 of 12
As part of this validation exercise, ProtectDB was installed on both the nodes of the DB2 database on the PureData System for Transactions using the steps mentioned earlier in section 6.1 and 6.2. After the migration process was completed, comprehensive tests were conducted to verify the functionality of ProtectDB on the PureData System for Transactions. Below are key observations made during the verification: 1. SQL queries run successfully against tables residing in DB2 purescale database which are encrypted using ProtectDB. 2. Database client is able to run queries seamlessly on DB2 purescale database tables that are encrypted using ProtectDB. 3. ProtectDB integration does not impact DB2 purescale functionality. 8. Conclusion IBM PureData System for Transactions protected by SafeNet s DataSecure with ProtectDB is uniquely able to provide the speed, go-live time, flexibility, and seamless strong security to address many organizations new business requirements and compliance mandates needs for managing sensitive data. While IBM PureData System for Transaction provides highly scalable and highly reliable data services ready in minutes, the ability to provide seamless security to this data with SafeNet s DataSecure with ProtectDB solution makes it an ideal combination for mission critical enterprise applications. 9. References IBM PureData System http://www.ibm.com/software/data/puredata/ IBM PureData System for Transactions http://www.ibm.com/software/data/puredata/transactions/ SafeNet ProtectDB with DataSecure Solution http://www.safenet-inc.com/data-protection/database-encryption/protect-db/ For more information, please contact your IBM representative or email askdata@ca.ibm.com Copyright IBM Corp. 2013. All Rights Reserved. Page 11 of 12
Copyright IBM Corporation 2013 All Rights Reserved. IBM Canada 8200 Warden Avenue Markham, ON L6G 1C7 Canada IBM, the IBM logo, ibm.com, DB2, purescale, PureData, and Netezza are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at ibm.com/legal/copytrade.shtml Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates. No part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation. Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. Any statements regarding IBM s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED AS IS WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON- INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided. About SafeNet: SafeNet is a leading global provider of data protection. For over 25 years, Fortune 500 global corporations and government agencies have turned to SafeNet to secure and protect their most valuable data assets and intellectual property. SafeNet s datacentric approach focuses on the protection of high value information throughout its lifecycle, from the data center to the cloud. More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments. DataSecure: http://www.safenetinc.com/cloud-security/datasecure/ Compliance: http://www.safenetinc.com/solutions/compliance/ SafeNet: http://www.safenet-inc.com