Light Dark
April 24, 2015 By JeongGahk Kim 3 min read
Data Protection

Encrypting your data is an important step for keeping it secure. If you’re worried or stressed out about an upcoming data encryption project, you’ll want to read further.

About three years ago, I was engaged as a project manager in a data encryption and database access control solution implementation project for one of South Korea’s financial accounts. My project was successfully completed, but I had to overcome various types of issues I had not experienced before. I’d like to share what I learned from that project and recommend an effective approach to developing a successful data encryption strategy for your own data encryption project.

Types of Data Encryption Projects

Generally, data encryption solutions are categorized into three groups of solutions: kernel encryption (transparent data encryption), application programming interface encryption and plugin encryption. Kernel encryption solutions can be further divided into operating system (OS) and database management system (DBMS) solutions. My project environment was using an OS kernel (transparent data encryption) encryption solution with a DBMS access control solution. The encryption solution included Vormetric Data Security and IBM InfoSphere Guardium Data Activity Monitor.

If you are managing a similar data encryption project, follow these steps to ensure success:

Step 1: Environmental Information Gathering

Thoroughly validate and gather the following pieces of information, which are critical inputs for setting up a strategic encryption schedule:

  • Target Systems: The identified systems inventory should be confirmed by the client in the earlier phases of the project.
  • Core Business Process Batch Job Schedule, Available Shutdown Schedule and System Dependency: These schedules and dependencies are needed to create an implementation timeline — otherwise, the project schedule should be provided by the client. Having the support of the client’s IT infrastructure team is a critical success factor.
  • As-Is System Performance Data: This data will be used to compare system performance before and after encryption.

Step 2: Set Up a Pilot Test Environment for Functional and Performance Testing

Before the solution is implemented, a test environment representing the production environment should be prepared to test how functionality and performance will be affected by the implementation of the encryption solution. This pilot test environment should be maintained throughout the project period in case of technical issue handling.

During the test, kernel agent compatibility with other products within the system should be validated. You must also measure system performance degradation to predict the estimated data migration time. This information is crucial to developing a realistic project schedule.

Step 3: Develop an Encryption Schedule Down to the System and Data Level

Based on the information from Step 1 and Step 2, the project team should be able to set up an encryption schedule. When you schedule agent installation and initial data encryption, the tasks should be separately considered according to the target system. For all target systems, the three following points should be considered when setting up the schedule:

  1. Compliance and Regulatory Requirements: A good first target system for your project is a system that has been mandated for encryption by regulation. Picking such a system makes it easier to persuade the system administrator to start things ahead of schedule.
  2. Data Size: As the data size increases, so does the initial data encryption time. I recommend placing a small data system in the earlier phase of the entire schedule. This will optimize the project schedule. If any technical issues arise, the project team will have more time to fix the problem in an earlier phase of the project.
  3. Business Impact: A redundant (dual configuration) system has more options for encryption scheduling. Development and test systems can be placed earlier in the schedule than production systems. If some systems have limited time frames for allowed system shutdown (such as batch or external organization gateway systems), then early communication with the clients is required to set up the priority on the change schedule.

The bigger the scope of your encryption, the greater the risk associated with your project. In a project field, there are even more variable situations that must be handled with care. The best way for you to be prepared is to spare enough time to set up an encryption strategy based on complete and detailed environmental information.

I hope these tips help you with your project. Connect with me on Twitter at @dvd703.

Image Source: iStock

 |  |  |  | 
JeongGahk Kim
Manager of SD Security Risk Management, GTS Korea, IBM

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature