CubeOne An Ideal Dataatrest, Columnlevel Encryption Solution for High Transactions and Sensitive of

1
CubeOne An Ideal ?Data-at-rest, Column-level-
Encryption Solution? for High Transactions and
Sensitive of Downtime DB
TM
2
Vendor Overview
Vision

• eGlobal Systems Co., Ltd. has plentiful
  experiences and specialty for DB tools.
• And had developed CubeOne A solution
  for data-at-rest column level encryption.
• Developing an ideal solutions for DB encryption
  is our goal
• - Prevent outflow important
  information and minimize security threat.
• - Eliminate any factors bring
  Downtime.

History

• 2004. 10. Established ( Hee Chang Kang ,
  President )
• 09. Contract to Quest S/W Sales Partner
• 2005. 12. Announced CubeOne
• 2006. 01. Registered trade mark of CubeOne
• 2006. 03. Registered as Venture Company
• 2006. 08 Certified to ISO9001

Customer
Approximately 20 Companies in Korea
3
Financial Loss by Security Problems
Cyber Fraud
6,015
Laptop Robbery
11,766
System Intrusion
13,055
High damage and loss caused by the employee or
contractors inside the company who can (are
permitted to) access the DB
15,134
Sabotage
18,370
Service Denial
Virus
49,979
Abuse by Employee
50,099
Financial Fraud
115,753
170,827
Outflow of Secret Information/DB
0
20M
40M
60M
100M
160M
Source Information Security Magazine (Unit
USD1,000)
4
Security Threats vs. Solution
5
Type of Security Solution
CubeOne is the core fundamental DB security
solution to protect the data outflow from inside
out.
Data outflow
Access from outside
DB Encryption CubeOne
DB Access Control/Audit
OS/SecureOS
IPS In-line traffic defense Detection
Prevention
IDS Detect protect the data passed over the
Firewall
Firewall based on service policy
6
Positioning of DB Security Solution
DB Performance
100
DB Encryption
100
100
Unauthorized Access
Data Outflow
Access control Audit
100
Auditing
7
DB Security Solution Coverage
100
0
0
100
Blockade Source of Data
Database Performance
Access Control
Log Audit
Access Control/Audit
Database Encryption
8
DB Encryption vs. Access Control/Audit
Feature
Type
Solution

• Fundamentals of blockading the source of data
• Encrypt the important data on the DB
• Software solution
• Impossible to decrypt when data outflow
• Divide the DB admin and security management

DB Encryption

• CubeOne
• DAmo
• SafeDB
• XcureDB
• Secure.Data
• DG/4

• Control the DB access of the unauthorized person
• Control by user, IP, application, time, etc
• Audit AFTER the data outflow/forgery occurred
• Required the change of application/configuration
  
• ? Hard to Setup
• Required to develop the logging method for the
• job inside the DB server

Access Control Audit

• Sharkra
• DB Safer
• MiddleMan
• dGriffin
• Net Logger
• InTruth /
• Quest

9
What is CubeOne ?

• CubeOne is the High-performance, High-capacity
  On-line DB security solution
• with Data Encryption , Access Control
  Audit (for encrypted data) features.

Hi-capacity

• Support thousands or millions
• (unlimited) data encryptions
• Support high volume data
• transaction

Hi-performance
ZERO Down time

• Advanced Index Search of encrypted data.
• (Equality/Front search, etc)
• No Application Change
• Standard Algorithm for Encryption
• AES, DES, 3DES, SEED, ARIA

• Down time Nearly ZERO
• Minimize the initial data encryption
• time for the huge volume data
• (Locking time 0.1 sec - 5 min.)

10
CubeOne Basic Security Features
High Security Level

• Crypto Algorithm support AES,3DES, DES, SEED,
  ARIA
• Encryption key management Unique key for each
  column
• Checksum Integrated checksum to protect the
  modification of DB
• Full Time IV (Initial Vector) Support
• Create the random vector during the
  encryption
• Generate the different encryption result
  for the same data source every time
• Log Fail/Success Accesses Make the
  access log for the encrypted data Logging
  update/modify/deploy when the security policy
  changed

Robust Access Control

• Protect the data from the forgery/modification/im
  proper use of the internal
• authorized users
• Protect data from the developer/outsourcing
  engineers
• Protect data from the Super User
• Access control method
• -. Column level access control apply the rule
  of column or role level
• -. Access control by Users, IP, Application,
  Time frame, Time period

11
CubeOne Basic Security Features
Divide the authority of DB Admin. and Security
Admin.
Support the Audit Log of the access to the
encrypted data

• CubeOne Audit Log
• ? DBMS user log-in information
• ? Log of the Select, Update, Delete, Insert,
  Success/Fail Access information
• ? Invoke/hold information of
  Encryption/Decryption module
• ? User expiration information

• CubeOne Policy Log (Access control policy
  setup/modification Log)
• ? Set/Unset information of the
  Encryption/Decryption items
• ? Set/Unset information of the Authorized user
  or Workgroup for the Encrypted data
• ? Security level change information of the
  User/Workgroup
• ? Creation/Delete/Modification information of
  the Workgroup, Object Key

12
CubeOne - Structure
13
CubeOne Distinguished Features
Zero down time
Advanced Index Search

• CubeOne On-line set-up / Zero down time
• Other vendors Off-line set-up / Stop the DB
• Advantage On-service during the encryption

• CubeOne Advanced Index Search for the
  encrypted data
• Other vendors Full Table Scan required
• Advantage Can use at the realistic DB
  environment
• (Faster 100 times compare to Full Scan)

Transparency to application
Fast building time

• CubeOne Do not need to change the AP and keep
  the
• DB constraint information automatically
• Other vendors Need to change the AP and DB
• Advantage Easy set up by DBA and remove the
  possible
• problems after set-up

• CubeOne Fast building time 90min for 10M
  records
• Other vendors Longer time 5hrs for 10M
  records
• Post work required after
  set-up
• Advantage Fast process and save the time

Access Control Audit
Support Platform

• CubeOne Strong and various features
• Other vendors Basic features
• Advantage Column level, by user/IP/time, etc

• Oracle 8.1.6 or higher version, 10g /RAC
• Solaris, HP-UX, AIX, Linux, Digital TRU64

• Sun Solaris, HP-UX, AIX, Linux

14
CubeOne - Query Performance
Others (occurred Full Scanning) !
CubeOne (Index Search)
Data Size 11M Enc/Dec. , Result 1 result for
search, 10 results for other searches.
Avg. 154 times !
15
CubeOne - Performance comparison
16
Essential factors to choice DB Encryption
solution (Column Level / Data-at-Rest type)
Description
Importance
Feature
One of the major purpose of using DB is
the Advanced Index Search. Index Search should
be possible after data encryption

• After the encryption the data will be converted
• to the random value/characters. It disables the
• Index Search and required the full table scan.
• DB Server performance goes extremely
• slow down.
• ? CubeOne support Advanced Index Search !

Index Search of the Encrypted data (, Like,
Between, lt,gt,,,)
DB table contains various Constraint
info(PK,FK) and Dependency info(View,Triger,Index,
Grant, Comment,PKG,Proc. Func). This should be
kept on the newly encrypted table.
If not, required manual work to keep
the Dependency and Constraint info. ? Required
long time, high system failure rate ?CubeOne is
transparent to any application !
Keep the existing table Dependency Constraint
info.
Initial encryption will take a long time(approx.
10hrs for the 20M table). And the DB should be
on-service during the initial setup.
The DB should not any services during the
setup. ? Cost and time loss - Hard to
work ?CubeOne supports the On-line setup !
Zero Down time On-line set-up
Create the random vector during the
encryption and generate the different encryption
result every time for the same data source.

• If not, the encrypted data can be easily
  decrypted
• by analogy.
• Weak at security
• CubeOne supports the IV (Initial Vector) !

Initial Vector
17
Competitor Analysis
eGlobal/ CubeOne
Protegrity/ Secure.Data
PentaSecurity/ DAMO
IniTech/ SafeDB
Advanced Index Searching
NA (Limited search by extra SQL Programming)
NA (Equality search only with appl.
change) (Full Scan for the other search)
Index Search for the Encrypted data
NA (Equality search only with appl. Change) (Full
Scan for the other search)
100/Automatically
NA
NA
Keep the existing table Dependency
Constraint Info.
NA
Zero Down Time On-line Setup
Off-line Setup (Approx. 10hrs for 20M Enc/Dec.)
Off-line Setup (Approx. 10hrs for 20M Enc/Dec.)
Zero Down Time On-line Setup
Off-line Setup (Approx. 10hrs for 20M Enc/Dec.)
Full time Initial vector
Initial Vector
NA for the Equality Search
Initial Vector
NA for the Equality Search
18
CubeOne vs App. Encryption Module
CubeOne
App. Encryption Module
Feature
In case of using the encrypted column as PK of
the Index Search ? Advanced complete Index Search

• In case of using the encrypted column as PK
• of the Index Search
• Limited to the Equality Search only
• Cannot use for the DB Analysis purpose
• like CRM, DW, etc.

Index Search for the encrypted data
Transparent to the App. SQL ? Instant
On-line Setup
App. change required ? Off-line Setup
Transparency to Application

• Standard Algorithm
• Elaborate secure Key management system
• (5 Levels)
• Access control/Audit feature

• Proprietary (non-standard) Algorithm
• ? Poor security level
• No Access control/Audit feature
• ? Able to access the DB thru the user ID of App.

Security Level
Initial Vector

• NO Initial Vector
• Easy to decrypt by Analogy
• ? Poor security level

Initial Vector
19
CubeOne vs API Solution (App. Encryption Module)
CubeOne
App. Encryption Module
Feature
Divide the role DB Admin. DB Security
Admin. ? Managed by security policy
Impossible ? One DBA has the full authority ?
Low security level
Role Division
Separate the Developer ID and unable to access to
the important data by developer
Unable to manage the ID by user ? Low security
level
Developer ID
Transparent to the App. Change Redesign
Dependent to App. Change Redesign
Maintenance
CubeOneTM ??? ??? Advanced Index Searching
? ?? !
20
Storage space for the Data Encryption
_at_ Data encryption size unit 16Byte
Example) 2 byte -gt 16 byte, 15 byte
-gt 16 byte 17 byte -gt 32 byte,
21
CubeOne UI Setup security policy
22
CubeOne UI Encryption Manager
23
CubeOne UI Dependency
24
CubeOne UI Encrypt PK column
25
CubeOne UI Encryption Wizard
26
CubeOne UI On-Line Encryption
27
DB Encryption Market Trend
Global market

• US Market
• Many File Encryption solutions
• in the market but Protegrity is
• the only one sole player
• in the DB Encryption market
• Japan Market
• No local solution vendors
• in DB encryption market area

CubeOne
28
References