Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric
Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric
Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
How an Encrypti<strong>on</strong> Management Server Compares with Traditi<strong>on</strong>al<br />
Encrypti<strong>on</strong> Approaches<br />
Many security pr<str<strong>on</strong>g>of</str<strong>on</strong>g>essi<strong>on</strong>als have ei<str<strong>on</strong>g>the</str<strong>on</strong>g>r deployed or are familiar with such traditi<strong>on</strong>al approaches<br />
as applicati<strong>on</strong> encrypti<strong>on</strong> and database encrypti<strong>on</strong>. How does <str<strong>on</strong>g>the</str<strong>on</strong>g> approach outlined <strong>on</strong> page 10<br />
compare to <str<strong>on</strong>g>the</str<strong>on</strong>g>se traditi<strong>on</strong>al approaches? Following is an overview <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> differences, and how<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g>se soluti<strong>on</strong>s can work in c<strong>on</strong>cert toge<str<strong>on</strong>g>the</str<strong>on</strong>g>r.<br />
Applicati<strong>on</strong> Encrypti<strong>on</strong><br />
Applicati<strong>on</strong> encrypti<strong>on</strong> is an approach in which encrypti<strong>on</strong> and decrypti<strong>on</strong><br />
<str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> data takes place within <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>SAP</strong> applicati<strong>on</strong>. The data is encrypted or<br />
decrypted by <strong>SAP</strong> every time it is written to or retrieved from <str<strong>on</strong>g>the</str<strong>on</strong>g> database.<br />
As a result, <str<strong>on</strong>g>the</str<strong>on</strong>g> data residing <strong>on</strong> <str<strong>on</strong>g>the</str<strong>on</strong>g> database is always encrypted.<br />
Once an organizati<strong>on</strong> has employed an encrypti<strong>on</strong> management server,<br />
<strong>SAP</strong> no l<strong>on</strong>ger directly participates in any cryptographic operati<strong>on</strong>s.<br />
The applicati<strong>on</strong> relies <strong>on</strong> <str<strong>on</strong>g>the</str<strong>on</strong>g> central token server to manage cryptographic<br />
operati<strong>on</strong>s and key management processes. This means <strong>SAP</strong> does not require<br />
local cryptographic technology and so is spared <str<strong>on</strong>g>the</str<strong>on</strong>g> management and performance<br />
issues associated with encrypti<strong>on</strong>.<br />
By replacing <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
card number with a<br />
token into <str<strong>on</strong>g>the</str<strong>on</strong>g> same<br />
<strong>SAP</strong> Database Table<br />
field <str<strong>on</strong>g>the</str<strong>on</strong>g>re is no additi<strong>on</strong>al<br />
database space<br />
required.<br />
With this approach, a central server issues a token to replace <str<strong>on</strong>g>the</str<strong>on</strong>g> credit card number in <strong>SAP</strong>.<br />
A benefit <str<strong>on</strong>g>of</str<strong>on</strong>g> this approach is that <str<strong>on</strong>g>the</str<strong>on</strong>g>re is no need to encrypt or decrypt at every step in <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
<strong>SAP</strong> workflow, but <strong>on</strong>ly when <str<strong>on</strong>g>the</str<strong>on</strong>g> unencrypted number is specifically needed, such as for<br />
payment processing. The token becomes a surrogate for <str<strong>on</strong>g>the</str<strong>on</strong>g> credit card number itself and may<br />
even be exchanged with o<str<strong>on</strong>g>the</str<strong>on</strong>g>r applicati<strong>on</strong>s in <str<strong>on</strong>g>the</str<strong>on</strong>g> enterprise as if it was a real credit card number—<br />
without <str<strong>on</strong>g>the</str<strong>on</strong>g> overhead <str<strong>on</strong>g>of</str<strong>on</strong>g> decrypti<strong>on</strong> and re-encrypti<strong>on</strong>, or <str<strong>on</strong>g>the</str<strong>on</strong>g> risk <str<strong>on</strong>g>of</str<strong>on</strong>g> exposure. Also, by replacing<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> card number with a token into <str<strong>on</strong>g>the</str<strong>on</strong>g> same <strong>SAP</strong> Database Table field <str<strong>on</strong>g>the</str<strong>on</strong>g>re is no additi<strong>on</strong>al database<br />
space required.<br />
Database Encrypti<strong>on</strong><br />
Database encrypti<strong>on</strong> is an approach to encrypting data at rest in which encrypti<strong>on</strong><br />
and decrypti<strong>on</strong> is handled at <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>SAP</strong> database server level, ra<str<strong>on</strong>g>the</str<strong>on</strong>g>r than at <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
applicati<strong>on</strong> level. The data to be protected is encrypted every time it passes from<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> applicati<strong>on</strong> to <str<strong>on</strong>g>the</str<strong>on</strong>g> database. Likewise, as data is requested from <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>SAP</strong> database,<br />
it is decrypted before being returned to <str<strong>on</strong>g>the</str<strong>on</strong>g> applicati<strong>on</strong>. The data is <strong>on</strong>ly in an<br />
encrypted state when it’s at rest in <str<strong>on</strong>g>the</str<strong>on</strong>g> database. Applicati<strong>on</strong> processing happens<br />
independently <str<strong>on</strong>g>of</str<strong>on</strong>g> encrypti<strong>on</strong> and decrypti<strong>on</strong>, with all data stored unencrypted in <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
<strong>SAP</strong>’s memory.<br />
When an encrypti<strong>on</strong> management server is deployed, <strong>SAP</strong> interfaces with <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
central server as described in <str<strong>on</strong>g>the</str<strong>on</strong>g> previous secti<strong>on</strong>. The <strong>SAP</strong> database no l<strong>on</strong>ger<br />
Cryptographic<br />
processing is completely<br />
removed<br />
from <strong>SAP</strong>, which<br />
enhances performance.<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
11.