Hello I will apologise upfront for my lack of SAS knowledge but I will present you with my issue and hopefully there is a simple solution. The IT Security team has asked that our internal SAS server encrypts data when at rest to AES 256 SHA2 standard.
SAS/Secure168bit & SAS/SecureWindows are installed & licenced on ther server.
I have read through the document Encryption in SAS 9.4 Sixth Edition and believe I have found the command to apply.
options netencryptalgorithm=aes;
%let machine=apex.pc.com;
signon machine.unxspawn user=_prompt_;
so here are my questions :-
1) Is this the correct code to activate encryption?
2) Where do I run this in SAS or in windows?
Any help would be appreciated.
"encrypts data when at rest"
Are they actually asking to encrypt all SAS datasets as stored on disk?
Then look here: http://support.sas.com/documentation/cdl/en/lrcon/69852/HTML/default/viewer.htm#n1s7u3pd71rgunn1xuex...
Yes all SAS datasets. Thank you i will have a read.
The information is good if we ensure the users complete the encryption. I probably was not clear but the encryption needs to be automatically applied when users create files so I am looking for an admin way of turning in encryption.
I don't think SAS has an option for this.
How is that security enforced on the other server systems in your organization?
Other Windows servers have the encryption applied by IT but for some reason they want it to applied in the SAS application.
The question for the other servers is
- what is encrypted (everything, certain file systems, user's directories, user's files,...)
- and how is it done (password, public/private key, etc)
According to this snippet from the referred document:
Beginning with the first maintenance release of 9.4, a metadata-bound library administrator can require that all data files in the bound library be encrypted with one of the two algorithms. For more information, see Requiring Encryption for Metadata-Bound Data Sets in Base SAS Procedures Guide and SAS Guide to Metadata-Bound Libraries.
you can actually force datasets to be encrypted as long as they are metadata-bound, which is a good practice for vital datasets anyway.
Tom
Good find, @TomKari. That should solve the problem for datasets, but if the IT people of the OP want all data encrypted (like input files copied to the server or files for export), I don't think one can force this from SAS.
Thank you for finding this.
This is definitely not my area of expertise so just throwing some thoughts.
When reading your requirement I was immediately thinking: Why the heck make that a responsibility of the application layer with all the overhead it creates. What about hardware encryption? And then with some brief Googling a Wikipedia article came up - I know, that's only a starting point and needs verification, but still...
Here the article: https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption
And from this article: "The two main use cases are Data at Rest protection, and Cryptographic Disk Erasure."
So... I believe it might be worth to investigate a bit further and then eventually push back and tell "IT" that they need to get their own "something" sorted instead of trying to make this a problem of the application layer.
This sounds to me mainly like a data storage security requirement to be solved on an IT infrastructure level.
On top of that, anytime a user creates a directory and uses it in a libname statement, they can create unencrypted datasets on their own.
So if encryption is really needed, it needs to be done on the file-system or disk level.
Yes, @Kurt_Bremser I agree that this may not accomplish everything they need. It's a really tricky problem statement; it'll probably come down to details.
As you say, they may have to resort to O/S encryption.
Tom
@TomKari, @Kurt_Bremser, @pw_coop
I have to relativate some of the statements I've made earlier.
The one significant thing I've missed with metadata bound libraries:
Once defined there is no way one can use SAS to create tables which are not metadata bound. I'm rather impressed how this has been implemented 🙂
I've just done some testing where I've defined a metadata bound library with AES encription. I've then used a user I've given access to this library to copy sashelp.class to this library (via SAS EG).
Then I've used PC SAS and issued the following code (using a different libref but pointing to the path defined as metadata bound):
libname testit 'd:\test';
data testit.classTWO;
  set sashelp.class;
run;
And that's what happened:
So yes, metadata bound libraries won't prevent a user from creating new folders BUT it will prevent users from creating insecured data in defined folders.
If hardware encryption is not an option then one could go for an approach where users are not allowed to create folders (on OS level) and there are secured libraries for all defined folders.
Thank you for all the advice and sorry for not replying sooner. I have been looking into the metadata bound libraries. I did a test on one library and this did encrypt all the SAS datasets and prevents opening in Notepad etc. The issue , which may be of my own doing, is that I can now not save any new datasets to the metadata bound library. The library still appears in Libraries under SASAPP in EG but i can not assign it.
The library or rather file does appear lower down uder Files\ Drivename\ SASWORK\ Folder . I can see all the SAS datasets, programs and other documents here and open them in EG. So my issue is am i creating the metadata bound library correctly or missing a step to allow the library to be assigned so I can save more datasets there?
I have full access to the library in the DataLibrary Manger so write and read metadata is allowed. Any help would be appreciated. I will not be replying for a week as I go on holiday until after Easter.
It's finally time to hack! Remember to visit the SAS Hacker's Hub regularly for news and updates.
Need to connect to databases in SAS Viya? SAS’ David Ghan shows you two methods – via SAS/ACCESS LIBNAME and SAS Data Connector SASLIBS – in this video.
Find more tutorials on the SAS Users YouTube channel.
