metia cep raised the it compliance level with the...
TRANSCRIPT
Microsoft SQL ServerCustomer Solution Case Study
Raised the IT compliance level with the thorough advance preparation for data encryption
OverviewCountry or Region: KoreaIndustry: Insurance
Customer ProfileING Life Insurance, Korea corporation of ING Group is the first company of foreign life insurance business in Korea and has obtained AAA from ‘Korea Business Assessment’ for 4 years.
Business SituationIT compliance for encryption and access control throughout all process of creation, collection, storage, and distribution of personal financial information came to the fore of security
SolutionData at salary and benefits system was encrypted by using column unit encryption function of SQL Server 2008 and their important system like ING web site also will be encrypted.
Benefits Encryption with minimum loss of
performance Encryption without overhead cost Acquire the Knowhow to encrypt Gain the leading brand value for
information protection
“If the database’s basic encryption had a security weakness, management problem, or poor
functionality compared to a third party solution, we wouldn’t consider using it. In data
encryption, performance and safety guarantee through many tests and tuning are more
important than whether introducing the expert solution or not.”
Dvae Kim, Sr Database Administration Professional, ING Life
ING Life Insurance Corporation (“ING Life”) is starting encryption of important
information in the database level as a starting point of 2010. In the late 2000s,
personal information protection came to the top priority task to the enterprise for the
fear of implicating that customer information leaking could affect society. Especially
for a financial field dealing with personal financial information, IT compliance became
the urgent matter with recommendation of the personal information encryption and
access control by the Financial Supervisory Service from 2009. But the data encryption
is not a task that can be completed pretty soon, which places an onerous burden on
enterprise. As the information exchange between the head office and branches and
the data warehouse based information analysis has increased, the task of encrypting
almost all customer’s personal and financial information like residency number, card
number, account number, phone number, address, email address has to surmount an
obstacle called ‘performance guarantee’. A third party solution is generally used for a
smooth encryption work. But ING Life shows the innovative move beyond common
sense. ING Life established encryption strategy for each database category.
SituationING Life, a Korea Corporation of ING Group, as a total financial service group having branches in 40 countries worldwide, is attracting interests by starting database encryption for primary business systems in the second half of 2010.
Recently, Korean society has experienced continuing leaking of enterprise’s customer information. And everybody including enterprise had a chance to realize the implication of this leaking. As the importance of customer information protection is spread, finance was the first business field that regards it as serious. Having financial record as well as personal information, financial field has a more necessity of security system modification. Especially since 2009 as the Financial Supervisory Service recommends the encryption and access control throughout all processes of creation, collection, storage and delivery of personal information, enhanced security came to the urgent matter related to the IT compliance.
The recommendation of the Financial Supervisory Service was for all finance businesses, but ING Life had to push ahead with the task. Regarding this, Dvae Kim, Sr Database Administration Professional of IP Operations in Infrastructure Dept, said “We received a work guideline from Asia-Pacific head office of ING Group that data encryption should be done until late 2011 for all local corporation’s systems need to guarantee the confidentiality, integrity, availability, etc”.
The data encryption is the top priority task but it is burdensome to put it into practice right away. Dvae Kim, said, “General
security can be done by blocking the risk factor, but database security can’t be done like this way. As encryption/decryption logic added, data reading/writing will be slowed naturally. Minimizing this is the key of data encryption but it’s easier said than done. There are many things to consider from data accuracy to database linked application.” Even it is difficult work but they can’t put off so long. IT Operation Dept of ING Life is working this system encryption task separated by database type.
SolutionIT Operation Dept of ING Life uses separate encryption method by each database type. Dvae Kim, said, “Encryption is generally provided by database level. Only difference is that in the case of Oracle, we have to purchase additional license, but in Microsoft SQL Server, it is included basically. We thought that the specialized third party solution has advantage for Oracle environment, but for Microsoft SQL Server, using the encryption function included in database basically will be effective.”
The first data encryption in Microsoft SQL Server environment was targeted to the EZHR system related to human resource, salary and benefits as a new project of 2010. They did so to extend its coverage to mission-critical systems after a through pre-validation. Dvae Kim, said, “We thought that the use of included encryption function was the best choice from the cost cut point of view because the use of third party solution did not guarantee the easiness of the encryption work. But the case using column unit encryption function
25
of SQL Server was rare in Korea and we didn’t have any experience about it, so we tried to reduce its risk by applying it to a new project, not existing one.”
IT Operation Dept. of ING Life queried to Microsoft Korea before establishing a strategy of EZHR database encryption work. Dvae Kim, said, “We queried and checked the details like function, changing the query statements, etc, and CosmicSoft were introduced to us as an expert partner to conduct this work actually. We could identify a total concept through the CosmicSoft’s 2 month consulting from June to August, 2010.” The contents of the consulting was mainly about processing way of issuing encryption key, creating certification for key issue and tuning for performance guarantee.
Actual encryption work was performed after consulting, and the most notable point was the close cooperation between the stakeholders. “Encryption is not just a simple functional revitalization work. It is a complex task that we should consider the connections and interactions of all businesses linked to a database. So, it is essential to cooperate closely between database managers and application developers. For this reason, several times of briefing session for the persons concerned was made for gaining consensus about necessity and method of encryption work before starting the project. One-on-one meeting with the person in charge also made even in the process of the project and they discussed application and query modification,” said SungRyong Kim.
Access control was as important as database and application
modification/tuning in doing encryption work. Dvae Kim, said, “Even though the data encryption was done, fundamental security weakness from leaking of certification or key was still remain. So, perfect considering of access control could make perfect data encryption. In this case, ING Life’s internal security guideline and existing security process was helpful.”
Benefits
Encryption with minimum loss of performance
As the electronic document exchange between the head office and branches, the data warehouse based information analysis and throughput of customer related information has increased, ‘performance guarantee’ is the prerequisites for these data encryption. Because of this, finance field database managers hesitated to carry out an encryption work.
Dvae Kim, said, “General security and encryption of data in database is a totally different thing. It is because it is directly connected to the performance of main business systems. Database and application modification and tuning are necessary to prevent the performance loss while data accuracy is maintained. From this point of view, IT Operation Dept. of ING Life succeeded in encryption with minimum loss of performance based on accurate understanding of SQL Server 2008 encryption function and close cooperation between the persons concerned. EZHR started its operation and actually 2 weeks later was the end of the month that lots of transaction was concentrated. But there
35
was no rapid performance degradation by encryption work as expected.”
Encryption work spreads without overhead cost
Many businesses including EZHR opening this time is operating on Microsoft SQL Server and its basic function will be used for encryption of these without introduction of third party solution.
Dvae Kim, said, “If the database’s basic encryption had a security weakness, management problem, or poor functionality compared to a third party solution, we wouldn’t consider using it. In data encryption, performance and safety guarantee through many tests and tuning are more important than whether introducing the expert solution or not. In this project, cost effectiveness by using free function isn’t distinctive because of the cost for consulting and implementation, but in case of future big encryption, we expect to obtain the considerable cost savings.” Actually Operation Dept. of ING Life will be expected to obtain the cost effectiveness thoroughly from 2011.
Acquire the Knowhow to encrypt outreach businesses
Operation Dept. of ING Life has a plan to applying Microsoft SQL Server 2008 encryption function to the mission-critical systems like ING Life website, cyber center in 2011. And as a preliminary work for this, they started to upgrade their database from the mixed environment of 2000 and 2005 to Microsoft SQL Server 2008. The encryption work which will be done in 2011 is expected to record the most significant
Microsoft SQL Server encryption case on its scale in Korea.
Dvae Kim, said, “We will make more assurance for security performance on encryption work planned in 2011. In case of services that touch a customer, it is so mission-critical that if down time duration passes a few minutes, it should be immediately reported to the Financial Supervisory Service. Fortunately, in the process of EZHR encryption work, we could accumulate tuning know-how for assuring performance. We accumulate the project related output like certification, certification key, database encryption progress and system operation manuals after finishing EZHR related encryption and then normal operating the system. The more important thing is the consensus for necessity and importance of encryption is settled down between database managers and application developers.”
Gain the leading brand value for information protection
As the encryption task will be extended to outreach businesses in 2011, ING Life is expected to obtain the leading position of data encryption in the finance field. Especially it’s the first domestic case that applying SQL Server 2008’s encryption to external businesses which have a large scale of transaction. Its coverage will be far beyond that of EZHR.
Dvae Kim, said, “ING Life has a plan to complete quickly the fundamental information protection system for customer’s personal and financial information like residency number, card number, account number, phone number,
45
address, email address, etc. Through this, we expect to have more positive response for the IT compliance of Financial Supervisory Service inwardly, and outwardly have a chance to let the customer know that the information in ING Life is all securely encrypted.”
Microsoft Server Product PortfolioFor more information about the Microsoft server product portfolio, go to:www.microsoft.com/servers
55
For More InformationFor more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers in the United States and Canada who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:www.microsoft.com
For more information about products and services, call or visit the website at:
For more information about ING products and services, call 82-1588-5005 or visit the website at: www.inglife.co.kr
This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Document published April 2011
Software and Services Microsoft Server Product Portfolio
− Microsoft SQL Server 2008 Enterprise