Top Tips for Surviving a Data Encryption Project

April 24, 2015
| |
3 min read

Encrypting your data is an important step for keeping it secure. If you’re worried or stressed out about an upcoming data encryption project, you’ll want to read further.

About three years ago, I was engaged as a project manager in a data encryption and database access control solution implementation project for one of South Korea’s financial accounts. My project was successfully completed, but I had to overcome various types of issues I had not experienced before. I’d like to share what I learned from that project and recommend an effective approach to developing a successful data encryption strategy for your own data encryption project.

Types of Data Encryption Projects

Generally, data encryption solutions are categorized into three groups of solutions: kernel encryption (transparent data encryption), application programming interface encryption and plugin encryption. Kernel encryption solutions can be further divided into operating system (OS) and database management system (DBMS) solutions. My project environment was using an OS kernel (transparent data encryption) encryption solution with a DBMS access control solution. The encryption solution included Vormetric Data Security and IBM InfoSphere Guardium Data Activity Monitor.

If you are managing a similar data encryption project, follow these steps to ensure success:

Step 1: Environmental Information Gathering

Thoroughly validate and gather the following pieces of information, which are critical inputs for setting up a strategic encryption schedule:

  • Target Systems: The identified systems inventory should be confirmed by the client in the earlier phases of the project.
  • Core Business Process Batch Job Schedule, Available Shutdown Schedule and System Dependency: These schedules and dependencies are needed to create an implementation timeline — otherwise, the project schedule should be provided by the client. Having the support of the client’s IT infrastructure team is a critical success factor.
  • As-Is System Performance Data: This data will be used to compare system performance before and after encryption.

Step 2: Set Up a Pilot Test Environment for Functional and Performance Testing

Before the solution is implemented, a test environment representing the production environment should be prepared to test how functionality and performance will be affected by the implementation of the encryption solution. This pilot test environment should be maintained throughout the project period in case of technical issue handling.

During the test, kernel agent compatibility with other products within the system should be validated. You must also measure system performance degradation to predict the estimated data migration time. This information is crucial to developing a realistic project schedule.

Step 3: Develop an Encryption Schedule Down to the System and Data Level

Based on the information from Step 1 and Step 2, the project team should be able to set up an encryption schedule. When you schedule agent installation and initial data encryption, the tasks should be separately considered according to the target system. For all target systems, the three following points should be considered when setting up the schedule:

  1. Compliance and Regulatory Requirements: A good first target system for your project is a system that has been mandated for encryption by regulation. Picking such a system makes it easier to persuade the system administrator to start things ahead of schedule.
  2. Data Size: As the data size increases, so does the initial data encryption time. I recommend placing a small data system in the earlier phase of the entire schedule. This will optimize the project schedule. If any technical issues arise, the project team will have more time to fix the problem in an earlier phase of the project.
  3. Business Impact: A redundant (dual configuration) system has more options for encryption scheduling. Development and test systems can be placed earlier in the schedule than production systems. If some systems have limited time frames for allowed system shutdown (such as batch or external organization gateway systems), then early communication with the clients is required to set up the priority on the change schedule.

The bigger the scope of your encryption, the greater the risk associated with your project. In a project field, there are even more variable situations that must be handled with care. The best way for you to be prepared is to spare enough time to set up an encryption strategy based on complete and detailed environmental information.

I hope these tips help you with your project. Connect with me on Twitter at @dvd703.

Image Source: iStock

JeongGahk Kim
Manager of SD Security Risk Management, GTS Korea, IBM

JeongGahk Kim is an expert of enterprise compliance & risk management. He has over ten years of experience of ISMS management and operation based on IBM'...
read more