Data Breach Prevention: Protecting the data at rest using Document Encryption.

Body

Author: Manisha Khond, IBM Cognitive Engagement, Watson Supply Chain.

The business process in Sterling B2B Integrator can store the document or payload in Database, File System or both. In order to safeguard the payload or document itself, you can use the Document Encryption.

Document encryption is a feature provided with IBM Sterling B2B Integrator that allows for the configuration of an additional layer of security beyond the traditional file and database permissions. The feature is to protect the data at rest. If you have integrated Sterling File Gateway with Sterling B2B Integrator, it uses the same document encryption feature for protecting data at rest. 

What are the security features of document encryption?

The document encryption feature is intended to protect data at rest from snooping. The feature allows you to encrypt the payload data stored in the database and/or the file system. It is also designed to prevent someone outside the system from viewing the payload data by directly accessing the database or file system.

Important aspects of document encryption:

• The default configuration is no encryption. If you want to have your documents encrypted, you will need to turn on this feature.
• You can turn this feature on at any time, but only documents received after encryption is turned on are encrypted.
• Once you turn on this feature, encryption is for all payloads across the entire system.
• Only the document payload data is encrypted, not the meta data.
• The same encryption key is used to encrypt and decrypt.

How to implement document encryption?

• The system uses a predefined certificate to generate and encrypt the keys that are used to encrypt the documents. User have a choice to use different certificate to encrypt the document. The same encryption key is used to encrypt and decrypt database or file system documents. The digital certificate is used to generate and encrypt the keys, and the system passphrase is used to encrypt the digital certificates. Document encryption creates one key per document and this key is stored along with the document as part of the metadata. Digital certificates are stored like any other system certificate. In order to turn on document encryption, create a document encryption certificate (system certificate) and reference the certificate in customer_overrides.properties as below:

security.CERT_NAME=docenccert

• The user have a choice to encrypt all the documents or only the document stored in the database or only document stored on File System.
  Use the customer_overrides.properties setting depending on your requirements.
  security.ENC_DECR_DOCS=ENC_ALL {Encrypt all documents}
  security.ENC_DECR_DOCS=ENC_DB {Encrypt the documents stored on the database}
  security.ENC_DECR_DOCS=ENC_FS {Encrypt the documents stored on File System}

• Disable the document encryption is simple with customer_overrides.properties setting:
  security.ENC_DECR_DOCS=NONE

FAQ:

Q 1> The document encryption certificate has expired. How do I replace with new certificate?

Ans 1> Create a new document encryption certificate. Example: NewDocEncCert

Reference the certificate in customer_overrides.properties.

security.CERT_NAME= NewDocEncCert

Note that the changes will be effective only after restart of IBM Sterling B2B Integrator.

Q 2> If I replace the document encryption certificate with new certificate, can the documents that are encrypted by the old certificate be still retrieved?

Ans 2> As long as you do not delete old document encryption certificate, the documents can still be retrieved.

Q 3> I did not have document encryption on. I want to turn on document encryption now. Does this encrypt the documents that were created before document encryption was on?

The document encryption/decryption can only be done after the document encryption turned on. The documents that existed before document encryption was turned on will not be encrypted.

Q 4> Why does IBM sterling B2B Integrator provide the feature of encrypting the all the documents or only the documents stored on File System or the documents stored on database?

Ans 4> IBM Sterling B2B Integrator can let you store the payload or document on File System or database or both (depends on the global setting and you can overwrite the global setting in individual processing).

If you decide to turn on the document encryption, it is recommended to turn on for all documents (ENC_ALL) that way all the documents are protected. But you have the choice to turn in document encryption for documents stored on File System only or the documents stored on Database only.

Q 5> I want to turn off the document encryption. What is the security risk?

Ans 5> The purpose of turning document encryption is to safeguard the document/payload at rest. If you turn off the document encryption, the document/payload will not be stored in encrypted format and there is a risk of tampering the data at rest.

Q 6> Is there a performance impact with document encryption enabled?
Ans 6> While performance is impacted when encryption is enabled, the user will see different performance impacts depending on hardware, the number and size of documents being processed, and the relative amount of processing time spent by a given server doing document persistence and retrieval against other activities.