Automatic Data Transformation

Using dataxform for initial encryption or rekeying of data is a two-party procedure requiring cooperation between the key manager Security Administrator and administrators of protected hosts. The key manager Security Administrator creates policies and applies them to GuardPoints before and after transformation. The administrator of the CTE hosts disable access to protected file sets, run the dataxform utility, and re-enable file access after transformation. The two-party architecture preserves security by making it impossible for a single individual to subvert data protection.

In small data centers, key manager Security Administrators and administrator of the CTE hosts typically work closely together and have an understanding of each others’ priorities and constraints. In larger organizations, organizational and physical distances between them often exist. Moreover, a key manager cluster often manages data security and key management for dozens, or hundreds, of protected hosts.

Simplifying dataxform Data Transformation

CTE can be configured to partially automate data transformation with dataxform, reducing the need for administrator coordination. The administrator of a protected host enables automatic transformation of a protected data set by creating a file named dataxform_auto_config in the GuardPoint’s root directory. This file contains information used to verify version compatibility with the CTE Agent, as well as some parameters to be input to dataxform (for example, the location of the disk space to be used to construct the utility’s file list).

If a dataxform_auto_config file is present when the key manager Security Administrator activates a dataxform policy (one that contains both production and transformation keys), the CTE Agent in the protected system automatically starts dataxform. Conversely, the administrator of the CTE host can disable automatic transformation by deleting the dataxform_auto_config file from a GuardPoint’s root directory.

When dataxform execution completes (or aborts), it leaves behind status files that it uses to regulate subsequent executions. Whenever the dataxform starts, it looks for these files, and if it finds them, displays an informative message and exits without transforming any files. This prevents dataxform from running repeatedly. Prior to running dataxform, the administrator of the CTE host must execute the utility’s cleanup function to eliminate status files from previous runs (Cleaning Up a Previous dataxform Session). If a transformation fails, the administrator of the CTE host must repair the problem, complete the transformation, and then execute the cleanup function (Recovering a Failed or Incomplete dataxform Session).

Even with automatic data transformation, the key manager Security Administrator must monitor dataxform progress (for example, by observing the audit log), and replace the GuardPoint’s dataxform policy with a posttransformation production policy when the run completes. administrator of the CTE hosts remain responsible for blocking access to data (for example, stopping databases and applications or unmounting file systems) so applications do not have access to files. Finally, administrator of the CTE hosts are responsible for re-enabling application access to files after transformation is complete and the key manager Security Administrator has replaced the dataxform policy with a post-transformation production policy.

To summarize, the key manager Security Administrator and administrator of the CTE host interact during automatic data transformation as follows:

• Enable automation (administrator of the CTE host)
  To enable automation, the administrator of the CTE host creates a dataxform_auto_config file in the root directory protected by the GuardPoint. This is a one-time action. The dataxform_auto_config file needs to only be updated when parameters change, or deleted when the administrator wishes to disable automation.

• Clean up from previous transformation (administrator of the CTE host)
  The administrator of the CTE host executes the dataxform cleanup function (--cleanup) to enable transformation to begin automatically when a transformation policy is activated for the GuardPoint.

• Disable access to data (administrator of the CTE host)
  The administrator of the CTE host disables access to data, and informs the key manager Security Administrator that it is safe to replace the GuardPoint’s pre-transformation production policy with a dataxform policy. The time between disabling access and activation of the dataxform policy is part of the overall window of data unavailability.

• Monitor dataxform progress (key manager Security Administrator)
  The key manager Security Administrator monitors the progress of the utility, and when the run is complete, replaces the dataxform policy with a new post-transformation production policy. Once the posttransformation production policy has been activated, the key manager Security Administrator notifies the administrator of the CTE host that it is safe to re-enable application access to the protected file set. The time between completion of the dataxform run and re-enabling of data access is part of the overall window of file unavailability. Monitoring dataxform for operational details.

Partial automation of data transformation reduces the number of interactions between protected host and key manager Security Administrators. Expect that, over time, CTE will evolve to reduce the interactions to those required to maintain the fundamental security precepts of the software.

See Running Automatic Data Transformation for detailed operational examples.