Title: CubeOne An Ideal Dataatrest, Columnlevel Encryption Solution for High Transactions and Sensitive of
1CubeOne An Ideal ?Data-at-rest, Column-level-
Encryption Solution? for High Transactions and
Sensitive of Downtime DB
TM
2Vendor Overview
Vision
- eGlobal Systems Co., Ltd. has plentiful
experiences and specialty for DB tools. - And had developed CubeOne A solution
for data-at-rest column level encryption. - Developing an ideal solutions for DB encryption
is our goal - - Prevent outflow important
information and minimize security threat. - - Eliminate any factors bring
Downtime.
History
- 2004. 10. Established ( Hee Chang Kang ,
President ) - 09. Contract to Quest S/W Sales Partner
- 2005. 12. Announced CubeOne
- 2006. 01. Registered trade mark of CubeOne
- 2006. 03. Registered as Venture Company
- 2006. 08 Certified to ISO9001
Customer
Approximately 20 Companies in Korea
3Financial Loss by Security Problems
Cyber Fraud
6,015
Laptop Robbery
11,766
System Intrusion
13,055
High damage and loss caused by the employee or
contractors inside the company who can (are
permitted to) access the DB
15,134
Sabotage
18,370
Service Denial
Virus
49,979
Abuse by Employee
50,099
Financial Fraud
115,753
170,827
Outflow of Secret Information/DB
0
20M
40M
60M
100M
160M
Source Information Security Magazine (Unit
USD1,000)
4Security Threats vs. Solution
5Type of Security Solution
CubeOne is the core fundamental DB security
solution to protect the data outflow from inside
out.
Data outflow
Access from outside
DB Encryption CubeOne
DB Access Control/Audit
OS/SecureOS
IPS In-line traffic defense Detection
Prevention
IDS Detect protect the data passed over the
Firewall
Firewall based on service policy
6Positioning of DB Security Solution
DB Performance
100
DB Encryption
100
100
Unauthorized Access
Data Outflow
Access control Audit
100
Auditing
7DB Security Solution Coverage
100
0
0
100
Blockade Source of Data
Database Performance
Access Control
Log Audit
Access Control/Audit
Database Encryption
8DB Encryption vs. Access Control/Audit
Feature
Type
Solution
- Fundamentals of blockading the source of data
- Encrypt the important data on the DB
- Software solution
- Impossible to decrypt when data outflow
- Divide the DB admin and security management
DB Encryption
- CubeOne
- DAmo
- SafeDB
- XcureDB
- Secure.Data
- DG/4
- Control the DB access of the unauthorized person
- Control by user, IP, application, time, etc
- Audit AFTER the data outflow/forgery occurred
- Required the change of application/configuration
- ? Hard to Setup
- Required to develop the logging method for the
- job inside the DB server
Access Control Audit
- Sharkra
- DB Safer
- MiddleMan
- dGriffin
- Net Logger
- InTruth /
- Quest
9What is CubeOne ?
- CubeOne is the High-performance, High-capacity
On-line DB security solution - with Data Encryption , Access Control
Audit (for encrypted data) features.
Hi-capacity
- Support thousands or millions
- (unlimited) data encryptions
- Support high volume data
- transaction
Hi-performance
ZERO Down time
- Advanced Index Search of encrypted data.
- (Equality/Front search, etc)
- No Application Change
- Standard Algorithm for Encryption
- AES, DES, 3DES, SEED, ARIA
- Down time Nearly ZERO
- Minimize the initial data encryption
- time for the huge volume data
- (Locking time 0.1 sec - 5 min.)
-
10CubeOne Basic Security Features
High Security Level
- Crypto Algorithm support AES,3DES, DES, SEED,
ARIA - Encryption key management Unique key for each
column - Checksum Integrated checksum to protect the
modification of DB - Full Time IV (Initial Vector) Support
- Create the random vector during the
encryption - Generate the different encryption result
for the same data source every time - Log Fail/Success Accesses Make the
access log for the encrypted data Logging
update/modify/deploy when the security policy
changed
Robust Access Control
- Protect the data from the forgery/modification/im
proper use of the internal - authorized users
- Protect data from the developer/outsourcing
engineers - Protect data from the Super User
- Access control method
- -. Column level access control apply the rule
of column or role level - -. Access control by Users, IP, Application,
Time frame, Time period
11CubeOne Basic Security Features
Divide the authority of DB Admin. and Security
Admin.
Support the Audit Log of the access to the
encrypted data
- CubeOne Audit Log
- ? DBMS user log-in information
- ? Log of the Select, Update, Delete, Insert,
Success/Fail Access information - ? Invoke/hold information of
Encryption/Decryption module - ? User expiration information
- CubeOne Policy Log (Access control policy
setup/modification Log) - ? Set/Unset information of the
Encryption/Decryption items - ? Set/Unset information of the Authorized user
or Workgroup for the Encrypted data - ? Security level change information of the
User/Workgroup - ? Creation/Delete/Modification information of
the Workgroup, Object Key
12CubeOne - Structure
13CubeOne Distinguished Features
Zero down time
Advanced Index Search
- CubeOne On-line set-up / Zero down time
- Other vendors Off-line set-up / Stop the DB
- Advantage On-service during the encryption
- CubeOne Advanced Index Search for the
encrypted data - Other vendors Full Table Scan required
- Advantage Can use at the realistic DB
environment - (Faster 100 times compare to Full Scan)
Transparency to application
Fast building time
- CubeOne Do not need to change the AP and keep
the - DB constraint information automatically
- Other vendors Need to change the AP and DB
- Advantage Easy set up by DBA and remove the
possible - problems after set-up
- CubeOne Fast building time 90min for 10M
records - Other vendors Longer time 5hrs for 10M
records - Post work required after
set-up - Advantage Fast process and save the time
Access Control Audit
Support Platform
- CubeOne Strong and various features
- Other vendors Basic features
- Advantage Column level, by user/IP/time, etc
- Oracle 8.1.6 or higher version, 10g /RAC
- Solaris, HP-UX, AIX, Linux, Digital TRU64
- Sun Solaris, HP-UX, AIX, Linux
14CubeOne - Query Performance
Others (occurred Full Scanning) !
CubeOne (Index Search)
Data Size 11M Enc/Dec. , Result 1 result for
search, 10 results for other searches.
Avg. 154 times !
15CubeOne - Performance comparison
16Essential factors to choice DB Encryption
solution (Column Level / Data-at-Rest type)
Description
Importance
Feature
One of the major purpose of using DB is
the Advanced Index Search. Index Search should
be possible after data encryption
- After the encryption the data will be converted
- to the random value/characters. It disables the
- Index Search and required the full table scan.
- DB Server performance goes extremely
- slow down.
- ? CubeOne support Advanced Index Search !
Index Search of the Encrypted data (, Like,
Between, lt,gt,,,)
DB table contains various Constraint
info(PK,FK) and Dependency info(View,Triger,Index,
Grant, Comment,PKG,Proc. Func). This should be
kept on the newly encrypted table.
If not, required manual work to keep
the Dependency and Constraint info. ? Required
long time, high system failure rate ?CubeOne is
transparent to any application !
Keep the existing table Dependency Constraint
info.
Initial encryption will take a long time(approx.
10hrs for the 20M table). And the DB should be
on-service during the initial setup.
The DB should not any services during the
setup. ? Cost and time loss - Hard to
work ?CubeOne supports the On-line setup !
Zero Down time On-line set-up
Create the random vector during the
encryption and generate the different encryption
result every time for the same data source.
- If not, the encrypted data can be easily
decrypted - by analogy.
- Weak at security
- CubeOne supports the IV (Initial Vector) !
Initial Vector
17Competitor Analysis
eGlobal/ CubeOne
Protegrity/ Secure.Data
PentaSecurity/ DAMO
IniTech/ SafeDB
Advanced Index Searching
NA (Limited search by extra SQL Programming)
NA (Equality search only with appl.
change) (Full Scan for the other search)
Index Search for the Encrypted data
NA (Equality search only with appl. Change) (Full
Scan for the other search)
100/Automatically
NA
NA
Keep the existing table Dependency
Constraint Info.
NA
Zero Down Time On-line Setup
Off-line Setup (Approx. 10hrs for 20M Enc/Dec.)
Off-line Setup (Approx. 10hrs for 20M Enc/Dec.)
Zero Down Time On-line Setup
Off-line Setup (Approx. 10hrs for 20M Enc/Dec.)
Full time Initial vector
Initial Vector
NA for the Equality Search
Initial Vector
NA for the Equality Search
18CubeOne vs App. Encryption Module
CubeOne
App. Encryption Module
Feature
In case of using the encrypted column as PK of
the Index Search ? Advanced complete Index Search
- In case of using the encrypted column as PK
- of the Index Search
- Limited to the Equality Search only
- Cannot use for the DB Analysis purpose
- like CRM, DW, etc.
Index Search for the encrypted data
Transparent to the App. SQL ? Instant
On-line Setup
App. change required ? Off-line Setup
Transparency to Application
- Standard Algorithm
- Elaborate secure Key management system
- (5 Levels)
- Access control/Audit feature
- Proprietary (non-standard) Algorithm
- ? Poor security level
- No Access control/Audit feature
- ? Able to access the DB thru the user ID of App.
Security Level
Initial Vector
- NO Initial Vector
- Easy to decrypt by Analogy
- ? Poor security level
Initial Vector
19CubeOne vs API Solution (App. Encryption Module)
CubeOne
App. Encryption Module
Feature
Divide the role DB Admin. DB Security
Admin. ? Managed by security policy
Impossible ? One DBA has the full authority ?
Low security level
Role Division
Separate the Developer ID and unable to access to
the important data by developer
Unable to manage the ID by user ? Low security
level
Developer ID
Transparent to the App. Change Redesign
Dependent to App. Change Redesign
Maintenance
CubeOneTM ??? ??? Advanced Index Searching
? ?? !
20Storage space for the Data Encryption
_at_ Data encryption size unit 16Byte
Example) 2 byte -gt 16 byte, 15 byte
-gt 16 byte 17 byte -gt 32 byte,
21CubeOne UI Setup security policy
22CubeOne UI Encryption Manager
23CubeOne UI Dependency
24CubeOne UI Encrypt PK column
25CubeOne UI Encryption Wizard
26CubeOne UI On-Line Encryption
27DB Encryption Market Trend
Global market
- US Market
- Many File Encryption solutions
- in the market but Protegrity is
- the only one sole player
- in the DB Encryption market
-
- Japan Market
- No local solution vendors
- in DB encryption market area
CubeOne
28References