Encrypted Data at Rest

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Encrypted Data at Rest

4D Tech mailing list
I have had a request to have a system have all data at rest encrypted.  My understanding is that they actually want the 4D datafile and backups encrypted at all times.  Have others had to deal with this and if so what options did you find available and what did you choose as your solution?

Thanks
Justin Will
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Encrypted Data at Rest

4D Tech mailing list
>  Have others had to deal with this and if so what options did you find available and what did you choose as your solution?

The easiest is to turn on the drive encryption. However I also selectively encrypt more sensitive information so it is double encrypted.

Neil










Privacy Disclaimer: This message contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please delete this email from your system and notify the sender immediately by replying to this email.  If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

The Alternative Investments division of UMB Fund Services provides a full range of services to hedge funds, funds of funds and private equity funds.  Any tax advice in this communication is not intended to be used, and cannot be used, by a client or any other person or entity for the purpose of (a) avoiding penalties that may be imposed on any taxpayer or (b) promoting, marketing, or recommending to another party any matter addressed herein.
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Encrypted Data at Rest

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Justin:

That is a requirement of Health Care Systems in Canada for more than 15 years. It is actually a good idea. Fortunately there is an ‘easy’ way to do it and it does not take once ounce of programming (not good for billable hours). The clients purchase the drive controllers and drives (if using existing servers) that encrypt all data on the drive. All servers we purchase now, have this hardware feature in them. This works with SSDs as well.

The speed is such that there even large sites do not notice a reduction of performance of the system.


Jody Bevan
ARGUS Productions Inc.
Developer

Argus Productions Inc. <https://www.facebook.com/ArgusProductions/>


> On Aug 2, 2017, at 8:22 AM, Justin Will via 4D_Tech <[hidden email]> wrote:
>
> I have had a request to have a system have all data at rest encrypted.  My understanding is that they actually want the 4D datafile and backups encrypted at all times.  Have others had to deal with this and if so what options did you find available and what did you choose as your solution?
>
> Thanks
> Justin Will

**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Encrypted Data at Rest

4D Tech mailing list
Jody,

Do you have a recommendation on a controller that does this well?

Thanks
Justin
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Encrypted Data at Rest

4D Tech mailing list
depending on the computer system.
This is built into (software) OS X it is called 'FileVault'.
I believe that Windows 7+ has a similar feature, but this might not be
true at all, or only for newer (8 and or 10).

I do not have explicit experience (I'm sure Jody does), i would expect
there to be some performance hit with Filevault, as it is software.


her is a link to an ARsTechnica thread about SSD encryption
https://arstechnica.com/civis/viewtopic.php?t=1243475

On Wed, 2 Aug 2017 14:50:24 +0000, Justin Will via 4D_Tech wrote:

> Jody,
>
> Do you have a recommendation on a controller that does this well?
>
> Thanks
> Justin
> **********************************************************************
> 4D Internet Users Group (4D iNUG)
> FAQ:  http://lists.4d.com/faqnug.html
> Archive:  http://lists.4d.com/archives.html
> Options: http://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:[hidden email]
> **********************************************************************
---------------
Gas is for washing parts
Alcohol is for drinkin'
Nitromethane is for racing
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Encrypted Data at Rest

4D Tech mailing list
Chip:

Even longer than the hardware/firmware solutions there has been software to do this. The performance hit is substantial though. I remember testing out a software solution about 15 years ago with a compiled standalone version of our application. Essentially with these they intercept the writing to the hard drive for certain applications so that you do not have to do this for all applications. It was substantially slower. Of course that was 15 years ago, so this could have speeded up since then, especially with SSD. Still though the hardware/firmware solution I could not see a difference in performance between with it and without it.

Jody


> On Aug 2, 2017, at 9:07 AM, Chip Scheide via 4D_Tech <[hidden email]> wrote:
>
> depending on the computer system.
> This is built into (software) OS X it is called 'FileVault'.
> I believe that Windows 7+ has a similar feature, but this might not be
> true at all, or only for newer (8 and or 10).
>
> I do not have explicit experience (I'm sure Jody does), i would expect
> there to be some performance hit with Filevault, as it is software.
>
>
> her is a link to an ARsTechnica thread about SSD encryption
> https://arstechnica.com/civis/viewtopic.php?t=1243475
>

**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Encrypted Data at Rest

4D Tech mailing list
FileVault 2 was a big improvement over Apple's first attempt.
This link describes the performance impact:
http://osxdaily.com/2011/08/10/filevault-2-benchmarks-disk-encryption-faster-mac-os-x-lion/

Keith - CDI


> On Aug 2, 2017, at 12:47 PM, Jody Bevan via 4D_Tech <[hidden email]> wrote:
>
> Chip:
>
> Even longer than the hardware/firmware solutions there has been software to do this. The performance hit is substantial though. I remember testing out a software solution about 15 years ago with a compiled standalone version of our application. Essentially with these they intercept the writing to the hard drive for certain applications so that you do not have to do this for all applications. It was substantially slower. Of course that was 15 years ago, so this could have speeded up since then, especially with SSD. Still though the hardware/firmware solution I could not see a difference in performance between with it and without it.
>
> Jody
>
>
>> On Aug 2, 2017, at 9:07 AM, Chip Scheide via 4D_Tech <[hidden email]> wrote:
>>
>> depending on the computer system.
>> This is built into (software) OS X it is called 'FileVault'.
>> I believe that Windows 7+ has a similar feature, but this might not be
>> true at all, or only for newer (8 and or 10).
>>
>> I do not have explicit experience (I'm sure Jody does), i would expect
>> there to be some performance hit with Filevault, as it is software.
>>
>>
>> her is a link to an ARsTechnica thread about SSD encryption
>> https://arstechnica.com/civis/viewtopic.php?t=1243475
>>

**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Encrypted Data at Rest

4D Tech mailing list
I don't believe that FileVault and Windows built in encryption is sufficient enough.  I need to comply with NIST Special Publication 800-57.  I believe it will have to be hardware based with some sort of special key management.  Honestly it's all pretty foreign to me.

Justin

**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Encrypted Data at Rest

4D Tech mailing list
In reply to this post by 4D Tech mailing list
On Aug 2, 2017, at 12:51 PM,Chip Scheide wrote:

> depending on the computer system.
> This is built into (software) OS X it is called 'FileVault'.
> I believe that Windows 7+ has a similar feature, but this might not be
> true at all, or only for newer (8 and or 10).
>
> I do not have explicit experience (I'm sure Jody does), i would expect
> there to be some performance hit with Filevault, as it is software.

Remember that what Jody is talking about the encryption is handled in hardware by the drive controller so performance hit is negligible as they say. Don’t confuse the issue by including consumer level software encryption like FileVault. FileVault is for personal use only.

Just making the point for any amateurs out there reading this thread. The people running 4D Server on a Mac Mini and they think “I’ll be more secure and put my data file in FileVault." Yeah, it should work. But I think you would be hard pressed to find anyone that would recommend doing that.

And also keep in mind that drive level encryption has no impact on database performance when you are accessing the data cache. No encryption of the data cache and memory. So the negligible decryption performance hit only impacts the first read from disk to load the data cache. And there is a negligible encryption performance hit when writing to disk. But that only happens when the cache is flushed. And the flush happens in a separate thread on a separate core on 4D Server. So that makes it super negligible.

Tim

********************************************
Tim Nevels
Innovative Solutions
785-749-3444
[hidden email]
********************************************

**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Encrypted Data at Rest

4D Tech mailing list
FileVault 2, or just FileVault since Mountain Lion, is drive level encryption.

Milan

Sent from my iPad

> On Aug 2, 2017, at 21:21, Tim Nevels via 4D_Tech <[hidden email]> wrote:
>
>> On Aug 2, 2017, at 12:51 PM,Chip Scheide wrote:
>>
>> depending on the computer system.
>> This is built into (software) OS X it is called 'FileVault'.
>> I believe that Windows 7+ has a similar feature, but this might not be
>> true at all, or only for newer (8 and or 10).
>>
>> I do not have explicit experience (I'm sure Jody does), i would expect
>> there to be some performance hit with Filevault, as it is software.
>
> Remember that what Jody is talking about the encryption is handled in hardware by the drive controller so performance hit is negligible as they say. Don’t confuse the issue by including consumer level software encryption like FileVault. FileVault is for personal use only.
>
> Just making the point for any amateurs out there reading this thread. The people running 4D Server on a Mac Mini and they think “I’ll be more secure and put my data file in FileVault." Yeah, it should work. But I think you would be hard pressed to find anyone that would recommend doing that.
>
> And also keep in mind that drive level encryption has no impact on database performance when you are accessing the data cache. No encryption of the data cache and memory. So the negligible decryption performance hit only impacts the first read from disk to load the data cache. And there is a negligible encryption performance hit when writing to disk. But that only happens when the cache is flushed. And the flush happens in a separate thread on a separate core on 4D Server. So that makes it super negligible.
>
>
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Encrypted Data at Rest

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Not sure why you say for personal use only. FileVault supports 256 AES and benefits from hardware acceleration in the CPU. I’ve never done timing comparisons but there are no noticeable performance effects at all. Some people have tested, years ago, and found at most only 2-3% degradation.


> Date: Wed, 02 Aug 2017 13:21:09 -0500
> From: Tim Nevels <[hidden email]>
>
> On Aug 2, 2017, at 12:51 PM,Chip Scheide wrote:
>
>> depending on the computer system.
>> This is built into (software) OS X it is called 'FileVault'.
>> I believe that Windows 7+ has a similar feature, but this might not be
>> true at all, or only for newer (8 and or 10).
>>
>> I do not have explicit experience (I'm sure Jody does), i would expect
>> there to be some performance hit with Filevault, as it is software.
>
> Remember that what Jody is talking about the encryption is handled in hardware by the drive controller so performance hit is negligible as they say. Don’t confuse the issue by including consumer level software encryption like FileVault. FileVault is for personal use only.
>
> Just making the point for any amateurs out there reading this thread. The people running 4D Server on a Mac Mini and they think “I’ll be more secure and put my data file in FileVault." Yeah, it should work. But I think you would be hard pressed to find anyone that would recommend doing that.
>
> And also keep in mind that drive level encryption has no impact on database performance when you are accessing the data cache. No encryption of the data cache and memory. So the negligible decryption performance hit only impacts the first read from disk to load the data cache. And there is a negligible encryption performance hit when writing to disk. But that only happens when the cache is flushed. And the flush happens in a separate thread on a separate core on 4D Server. So that makes it super negligible.
>
> Tim
>
> ********************************************
> Tim Nevels
> Innovative Solutions
> 785-749-3444
> [hidden email]
> ********************************************

**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Encrypted Data at Rest

4D Tech mailing list
In reply to this post by 4D Tech mailing list
On Aug 2, 2017, at 7:35 PM,Richard Wright wrote:

> Not sure why you say for personal use only. FileVault supports 256 AES and benefits from hardware acceleration in the CPU. I’ve never done timing comparisons but there are no noticeable performance effects at all. Some people have tested, years ago, and found at most only 2-3% degradation.

That sounds fantastic. I had no idea it was so good. And it’s free!

From what you say it sounds like it is ready for use in any and all situations where you need to encrypt data on macOS.

Tim

********************************************
Tim Nevels
Innovative Solutions
785-749-3444
[hidden email]
********************************************

**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Encrypted Data at Rest

4D Tech mailing list
In reply to this post by 4D Tech mailing list
>I believe it will have to be hardware based with some sort of special key management

I once did this with an Ingrian DataSecure hardware appliance, which is in fact a specially protected 19" rack computer. From 4D I generate an xml containing the data to be encrypted, this xml is then sent over the network to the Ingrian appliance, together with some information regarding who I am (user&password) and what I want (encrypt with key named xxx). The appliance checks user&password and returns the encrypted xml. This is stored in the respecting record in a blob field. On accessing the record, the reverse is done: the blob is sent over the network to the Ingrian appliance, together with some information regarding who I am (user&password) and what I want (decrypt with key named xxx). The appliance checks user&password and returns the decrypted xml.
Key to all this is the fact, that the network appliance itself is certified to certain standards and handles the majority of key management. Unfortunately this NAEs (network attached encryption) aren't cheap.

HTH
Ingo Wolf


--
ViELMAC Ingo Wolf
Rheinhessenring 53A
D 55597 Wöllstein
Tel. +49 (0)6703 3070320
Fax  +49 (0)6703 3070321
e-mail [hidden email]
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Encrypted Data at Rest

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Hi,

This is an interesting subject...

I would say it depends on what you want to protect from and how deep are your pockets...

As people said, it is difficult to encrypt the whole 4D database without encryption being supported at the database engine level...
At the moment 4D does not support it.

It is possible to encrypt few fields, but it will then be difficult to search on those crypted fields... Decrypting on the fly is ok for targeted purpose but not for massive data processing (search, sort, stats, etc...).

For instance, database with people and medical results. One idea would be to encrypt the medical result but not encrypt the name, surname, dob information (so you can at least search, if authorized, the result of one person).
If you store a pdf of results with name and medical results they need to be encrypted as well.

If you wanted to make stats ont the medical data, then you would have to have information in "clear" but encrypt the relation between medical data and person...

This is just an idea, I don't know if it will hold against certification...

Filesystem/storage level encryption is good for one part of the risks. if machine gets stolen, drive is disposed of without being rerased/destroyed...
If you can get away with this, this will be the easiest/cheapest option.

But if a hacker gets into your server (with the same privileges as the owner of the datafile), he will be able to copy you data file (and if he is very good he will read/extract your data)...
If a hacker is into your server, it means that your network security was not that great, that the server configuration/protection was not that great, etc...

Now what about a dishonest/bad/disgruntled employee/admin (or a whistler blower)... These things can happen, event to the NSA...

Should the information be accessible to the admin ? the developer ? or just the users with correct privileges ?

If you do backups (they will leave the encrypted disk, the machine and the building hopefully), you need to encrypt the backup data (7z has an option to do AES-256 encryption).

Then there is the question of the keys... Where and how do you store and protect the keys ???
Hard coded in code ?, in data ? in preference file ? in a Hardware Security Module (HSM) ?
The HSM is a kind of very specialized (and very expensive) hardware designed to store and protect keys and self-destroy if tempered with...

S3 is an option. Communication to S3 is secure (https).
Storage can be done encrypted with AES-256 (transparently), it is just an option at object level. Data is encrypted before being written to disk and decrypted on the fly when you try to read it (all transparent). Amazon cannot read your data (it is encrypted with your secret key).
I read that NSA was suspected to have planted a "system" (with the help of Amazon ?) between the  ssl tunnel exit and before the encryption... But that's it.
If you don't trust amazon/nsa, you can encrypt before sending.

Finally, Oracle has a concept of "Transparent Data Encryption" since few years (11g).
Maybe if you really need this, store your data on Oracle.

HTH





**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Encrypted Data at Rest

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Richard:

Hardware acceleration in the CPU is still not nearly as fast as this task being done by the drive controller. All software runs through the CPU. Yes, the CPU can support specific types of code which helps. Just like GPUs,  the advanced support in the drive controllers makes a big difference. Tim’s explanation really highlights why it is faster - good explanation Tim.  

As with all things in 4D and IT, there are vast differences in use and needs. Why buy a big server with 24 GB RAM and 2 Terabytes of SSD in RAID configuration, and 18 CPUs when there are 20 people connecting - not needed - huge waste of money. On the other hand trying to serve a large site with large data, and heavy use with a MacMini running FileVault would be a no go. When working with large sites with hundreds of people connected and they do ALL their work in the system, good hardware, good network, and OS makes a huge difference (as well as proven 4D application). This is when pinches in throughput really shows. It makes one dig into the details. Reminds me of gigabyte switches. Clients would complain that the switches we insisted on were way to expensive when they could buy gigabyte switches for 20% of the price. Yes each port may be able to support 1 GB throughput, but if the whole device only support 2 GB throughput it really is not good for busy sites. The details matter at large sites.

The details of performance really matter if your site’s needs require high performance. If not - then FileVault2 can be a great solution that makes a lot of sense.

Apple backed out of the server world as far as hardware is concerned, but that is a whole other topic for those of us that actively supported Apple Servers with several hundred Xserves. With a few more important features we could have sold several hundred more.

Jody


> On Aug 2, 2017, at 1:59 PM, Richard Wright via 4D_Tech <[hidden email]> wrote:
>
> Not sure why you say for personal use only. FileVault supports 256 AES and benefits from hardware acceleration in the CPU. I’ve never done timing comparisons but there are no noticeable performance effects at all. Some people have tested, years ago, and found at most only 2-3% degradation.
>

**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Loading...