An “Encryption of Data at Rest” report was produced by PwC. Within the content, a number of recommendations were made.
The primary recommendation was that the University should continue to progress with the Oracle Advanced Security solution. It was agreed that this supported the intended development of the Enterprise Data Warehouse (EDW) and that a project should be initiated to progress.
At a high level, the scope of this project is to undertake:
- A review of the outcomes from project DTI021 EDW – Embed & Optimise and complete any outstanding tasks relating to the Oracle Advanced Security solution and Transparent Data Encryption (TDE).
- Agree a satisfactory solution for key management which does not compromise the security of the TDE solution.
- Implementation of TDE across the EDW.
The project DTI021 will:
- Create a 2nd staging/foundation database in EDW dev environment (CDTDED/TDEDEV).
- Enable table-space encryption on this database with the AES256 algorithm (the default is AES128).
- Set up encryption keys on the server (software key-store, not auto-login).
- Re-point the Extract-Transformation-Load (ETL) code to go via the new encrypted database.
- Compare the ETL code running on the encrypted database against code running on the standard staging/foundation database to review performance.
At a more detailed level, the scope of this project is to undertake:
- Review the outcome from DTI021 investigation.
- Make a decision on the encryption algorithm (this could affect performance and affect the complexity of table-space creation).
- Determine the encryption key to be used (password, auto-login, local auto-login).
- Key-store type, location and management to be reviewed (software/hardware, separate infrastructure, key-store VM, security).
- Risks of TDE implementation to be reviewed alongside requirements and benefits (mainly around security of key-store, added complexity for admin of db, encryption cannot easily be removed once implemented, if the password is lost)
- Undertake performance testing.
- Determine the procedures and test standard administration tasks (backup/recovery, exports, key-store password change, creating new encrypted table-spaces).
The initial objective is to understand what work has already been undertaken in terms of prior preparation, what tasks have yet to be fulfilled and who as resource are available and skilled to complete.
The second objective focuses on execution and delivery of the security solution, including security key management.
|Objectives and Deliverables||Priority||Owner|
|O.1 Understanding of technical requirements|
D1.1 Work identified and to be carried forward from DTI021 project
|D2.1 Trial environment has been set-up and is available for use||Should||Development Technology|
|O.2 Progression of encryption at rest solution|
|D2.1 The encryption algorithm to be used, the encryption key and where it is to be securely stored||Must||Development Technology|
|D2.2 A review of the implementation plan, risks, requirements and delivery benefits||Must||Development Technology|
D3.3 Performance testing (agreement would need to be reached that the results from DTI021 are satisfactory)
|D3.4 Implementation||Must||Development Technology/Technology Management|
|O.3 Project documentation will be maintained for future use|
|D3.1 Essential go-live documentation has been written and maintenance administration proven||Must||Development Technology|
|D3.2 Supplementary supporting documentation has been written and maintenance administration proven||Should||Development Technology|
|D3.3 Instructions have been shared with Production Management||Must||Development Technology/Technology Management|
|O.4 Document all completed/outstanding work at project end|
|D4.1 Produce a project closure report||Must||Project Manager|
The safe guard of both present and future data that is/will be contained in the Enterprise Data Warehouse.
A working advanced security solution in the Enterprise Data Warehouse.
|Build||Deployment to Development Environment||01-Jul-2019|
|Build||Deployment to Test Environment||08-Jul-2019|
|Accept||Test Completion Sign-off||12-Jul-2019|
|Deliver||Deployment Go-live Sign-off||30-Jul-2019|