infor.com
concierge
infor u
developer portal
Home
Groups
Lawson - Technology Customer Community [READ ONLY]
Lawson database encryption - questions
s-fonley
Hi All - we are discussing encrypting our Lawson databases.....I opened a case with Lawson and got some good information on the subject....I would also like to get some feedback from this forum.....
1) Has anyone set up "Data at Rest" on your Lawson databases?
2) If so, have there been any issues with batch or online application access?
3) How will BSI and Ceridian extract be affected communicating with an encrypted database?
4) What query tools are available for HR users to query Lawson data? I'm guessing SQL Server and Microsoft Access will not be able to be used?
5) Will LBI work with an encrypted database?
Your input would be appreciated.....
thanks!
Colleen Kelly
General Nutrition, Inc.
Find more posts tagged with
Infor Lawson Technology Group - Discussion
Comments
serafino
"Data at Rest" means the data is encrypted on disk inside the database. It is transparent to the client, who has no idea about any data encryption.
To put it simply, a user who has access to a datafile that is NOT encrypted can open it with various tools and see actual data. He won't need to log into the database and run SQL -- data is stored in clear text. There may not be any recognizable organization to the file, but if he has the patience to look through it entirely, he may get valid name-SSN pairs or other sensitive data.
With "Data at Rest" encryption, the actual datafile is encrypted on disk. The same user with the same OS permissions can open the encrypted file, but he cannot read data because it is encrypted in the disk file. Nothing can be read or even recognized as "interesting" data.
Data at Rest encryption does not affect access to the data in any way. If you have a valid database username and have permissions to read the data, there is nothing that will prevent applications from running correctly. All database queries will run as before, as well as BSI, LBI, Crystal, and/or an other applications you have been using.
However, an encrypted database CANNOT transport a tablespace. This is because the encrypted files will not be readable by another database instance -- even with the same password. Each instance creates its own (presumably) unique encryption key. Moving data around to a second database for testing or DR preparedness requires other means of getting the data out. And, since the database knows it's encrypted, it is more strict about giving up its secrets - even to the DBA.
lbecker
In a practical sense, only DBA's and SysAdmins are able to browse the datafiles on Unix Systems. You don't really gain much security on the server since these staff people have authority to do just about anything they want in the first place.
Where encryption really adds security is off the server, such as backups. Sometimes the off-site backup tapes go 'missing' and nobody knows what happened to them. Or, some non-DBA restores the backup files to another system where they can do anything they want, but not if it's encrypted.
serafino
Yes, Jack, that is true -- if someone bothers to set filesystem security up correctly. I can't speak for others, but Oracle has a way to forbid DBA roles from viewing data that's not theirs, so the "anything they want" problem can be eliminated from this equation. Regardless of DBA security or datafile encryption, you can encrypt backups using a variety of methods, including a pipe through crypt right to the tape if necessary.
My point about data being encrypted on disk was to explain *exactly* what it means and how it affects the applications accessing the database. I believe that was the scope of the question. Security implications of unencrypted tapes leaving the site for possible delivery into the abyss never entered my mind - I imagine Colleen's already got something in place for that.
s-fonley
Hi Sal and Jack -
Thank you both for replying to my post! I appreciate all the input you provided - it will be very beneficial as we move forward with this task....
thanks again,
Colleen
plancor
Does anyone have insight on how "data at rest" encyrption affects Disaster Recovery? For example, what are the implications for clustering, failover, restores, etc.
unknown
Has anyone implemented 'Encryption of Data at Rest' for a DB2 Lawson database?
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Help
Popular Tags
Infor Lawson Human Resources Group - Discussion
Infor Lawson Technology Group - Discussion
General Discussions
VISUAL - Enterprise General Discussions
Infor Lawson Supply Chain Management - Discussion
Process Automation (IPA) - General Discussions
Pegasus - Partner General Discussions
Infor Lawson Supply Chain Group - Discussion
Infor Lawson Financials Group - Discussion
Infor EPM Discussions
