Rocket U2 | UniVerse & UniData

 View Only
Back to discussions
Expand all | Collapse all

Automatic Data Encryption: A guide for predicting additional data storage requirements.

  • 1.  Automatic Data Encryption: A guide for predicting additional data storage requirements.

    ROCKETEER
    Posted 02-24-2021 09:23
    Edited by John Jenkins 02-25-2021 06:11
    Automatic Data Encryption (ADE) is a largely-transparent database feature available in both UniData and UniVerse that helps prevent unauthorized access to selected sensitive data.

    This is accomplished by encrypting selected fields using an industry-standard security algorithm based upon OpenSSL and  Encryption Keys, which are held separately to the data itself. In commercial terms, this can help serve business confidentiality needs and allow a positive separation permitted levels of access and user roles. At the same time the legal compliance requirements of industry regulatory compliance such as  GDPR, HIPAA and PCI-DSS can be achieved by adopting ADE as a keystone part of a larger solution

    Mechanisms
    ADE itself encrypts data at an individual field (i.e. attribute) level. If wished, different encryption and security/access criteria also can be applied to separate fields within a record. As encryption applies individually to each encrypted field, we will consider the effect of encryption on the size of an individual field, thus allowing this result to be extrapolated by scaling over multiple encrypted fields.

    Space Considerations
    By its very nature - the requirement to encrypt data in a unique and reversible manner requires additional information - the data size is subject to inflation and the resulting content cannot be predicted. Nevertheless, using practical benchmarking of variable data sets and data volumes, a trend in the relationship between an individual field size and the resulting encrypted field size can be readily seen and is illustrated in the (highly abbreviated) table below with the highest percentage inflation for the smallest fields:

    Original field size -> Encrypted field size
    • 1-39 bytes -> 58 bytes to 99 bytes
    • 512 bytes -> 612 bytes
    • 8192 bytes -> 11005 bytes
      As can be seen, the percentage rate of expansion due to encryption tails off quite rapidly when the field size rises to a few hundred bytes. Once an individual field reaches a size between 0.5K and 8Kb, the inflation ratio has dropped off to approximately 145%, dropping further to 134% of the original data size at a decreasing rate. While these sizes might seem large for any one small individual field, the sizes can be very relevant where WHOLERECORD encryption is considered as the whole record is treated as one field for encryption purposes. Spread over a large set of data points, the graph below shows the trend in original data size against encrypted data size:

      Similarly, if a small number of small fields are encrypted in a much larger record, while the individual field may increase in size significantly, the overall effect in percentage growth terms on a  much larger record can be small.

      This graph illustrates the rate of drop off in the percentage of size inflation for an individual field with the 'knuckle' of the curve representing a few hundred bytes of unencrypted data.

      A graph of encrypted field size plotted against the original data size prior to encryption
      If the number of fields to be encrypted is determined along with the average size of the fields concerned, it is possible by extrapolation to estimate the additional storage space required for the resulting data set.

      Use Cases

      • Where a small number of small fields in an overall record are encrypted, the percentage growth for the individual fields can be relatively large. However, the increase in overall byte size when compared to the record as a whole may only be a few hundred bytes per record - and is often a relatively small percentage overall growth of the total data size..
      • Where a significant number of small individual fields are individually encrypted, then the percentage growth per-field is more significant. For a relatively small record in particular, this can result in a significant increase in the storage space requirements for the resulting records.
      • Where WHOLERECORD encryption is used then individual fields can be ignored as the complete record is treated as one field.


      NOTES:
      • WHOLERECORD is a special case of encryption where a complete database record is encrypted with a common encryption and access methodology. With WHOLERECORD encryption we can consider the whole record as a single field for encryption purposes.
      • While each of the different encryption algorithms available to ADE will differ slightly in the size of the resulting encrypted data, AES256 had been chosen as a commonly-used  illustrative example.
      • A webinar overview of ADE functionality is also available below.



      ------------------------------
      John Jenkins
      Principal Technical Support Engineer
      Rocket Software Limited
      U.K.
      ------------------------------