BookmarkSubscribeRSS Feed
pw_coop
Calcite | Level 5

Hello I will apologise upfront for my lack of SAS knowledge but I will present you with my issue and hopefully there is a simple solution. The IT Security team has asked that our internal SAS server encrypts data when at rest to AES 256 SHA2 standard.

SAS/Secure168bit  &   SAS/SecureWindows   are installed & licenced on ther server.

                                                                                                                                                          

I have read through the document Encryption in SAS 9.4 Sixth Edition and believe I have found the command to apply.

 

options netencryptalgorithm=aes;

%let machine=apex.pc.com;

signon machine.unxspawn user=_prompt_;

 

so here are my questions :-

1) Is this the correct code to activate encryption?

2) Where do I run this in SAS or in windows?

 

Any help would be appreciated.

16 REPLIES 16
pw_coop
Calcite | Level 5

Yes all SAS datasets. Thank you i will have a read.

pw_coop
Calcite | Level 5

The information is good if we ensure the users complete the encryption. I probably was not clear but the encryption needs to be automatically applied when users create files so I am looking for an admin way of turning in encryption.

 

pw_coop
Calcite | Level 5

Other Windows servers have the encryption applied by IT but for some reason they want it to applied in the SAS application.

Kurt_Bremser
Super User

The question for the other servers is

- what is encrypted (everything, certain file systems, user's directories, user's files,...)

- and how is it done (password, public/private key, etc)

TomKari
Onyx | Level 15

According to this snippet from the referred document:

 

Beginning with the first maintenance release of 9.4, a metadata-bound library administrator can require that all data files in the bound library be encrypted with one of the two algorithms. For more information, see Requiring Encryption for Metadata-Bound Data Sets in Base SAS Procedures Guide and SAS Guide to Metadata-Bound Libraries.

 

you can actually force datasets to be encrypted as long as they are metadata-bound, which is a good practice for vital datasets anyway.

 

Tom

Kurt_Bremser
Super User

Good find, @TomKari. That should solve the problem for datasets, but if the IT people of the OP want all data encrypted (like input files copied to the server or files for export), I don't think one can force this from SAS.

pw_coop
Calcite | Level 5

Thank you for finding this.

Patrick
Opal | Level 21

@pw_coop

This is definitely not my area of expertise so just throwing some thoughts.

 

When reading your requirement I was immediately thinking: Why the heck make that a responsibility of the application layer with all the overhead it creates. What about hardware encryption? And then with some brief Googling a Wikipedia article came up - I know, that's only a starting point and needs verification, but still...

 

Here the article: https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption 

 

And from this article: "The two main use cases are Data at Rest protection, and Cryptographic Disk Erasure."

 

So... I believe it might be worth to investigate a bit further and then eventually push back and tell "IT" that they need to get their own "something" sorted instead of trying to make this a problem of the application layer.

 

This sounds to me mainly like a data storage security requirement to be solved on an IT infrastructure level.

 

Kurt_Bremser
Super User

On top of that, anytime a user creates a directory and uses it in a libname statement, they can create unencrypted datasets on their own.

 

So if encryption is really needed, it needs to be done on the file-system or disk level.

TomKari
Onyx | Level 15

Yes, @Kurt_Bremser I agree that this may not accomplish everything they need. It's a really tricky problem statement; it'll probably come down to details.

 

As you say, they may have to resort to O/S encryption.

 

Tom

Patrick
Opal | Level 21

@TomKari@Kurt_Bremser@pw_coop

 

I have to relativate some of the statements I've made earlier.

 

The one significant thing I've missed with metadata bound libraries:

Once defined there is no way one can use SAS to create tables which are not metadata bound. I'm rather impressed how this has been implemented 🙂

 

I've just done some testing where I've defined a metadata bound library with AES encription. I've then used a user I've given access to this library to copy sashelp.class to this library (via SAS EG). 

Then I've used PC SAS and issued the following code (using a different libref but pointing to the path defined as metadata bound):

libname testit 'd:\test';
data testit.classTWO;
  set sashelp.class;
run;

 

And that's what happened:

Capture.PNG

 

 

So yes, metadata bound libraries won't prevent a user from creating new folders BUT it will prevent users from creating insecured data in defined folders.

If hardware encryption is not an option then one could go for an approach where users are not allowed to create folders (on OS level) and there are secured libraries for all defined folders.

 

 

pw_coop
Calcite | Level 5

Thank you for all the advice and sorry for not replying sooner. I have been looking into the metadata bound libraries. I did a test on one library and this did encrypt all the SAS datasets and prevents opening in Notepad etc. The issue , which may be of my own doing, is that I can now not save any new datasets to the metadata bound library. The library still appears in Libraries under SASAPP in EG but i can not assign it.

 

The library or rather file does appear lower down uder Files\ Drivename\ SASWORK\ Folder . I can see all the SAS datasets, programs and other documents here and open them in EG. So my issue is am i creating the metadata bound library correctly or missing a step to allow the library to be assigned so I can save more datasets there?

 

I have full access to the library in the DataLibrary Manger so write and read metadata is allowed. Any help would be appreciated. I will not be replying for a week as I go on holiday until after Easter.

sas-innovate-2024.png

Join us for SAS Innovate April 16-19 at the Aria in Las Vegas. Bring the team and save big with our group pricing for a limited time only.

Pre-conference courses and tutorials are filling up fast and are always a sellout. Register today to reserve your seat.

 

Register now!

How to connect to databases in SAS Viya

Need to connect to databases in SAS Viya? SAS’ David Ghan shows you two methods – via SAS/ACCESS LIBNAME and SAS Data Connector SASLIBS – in this video.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 16 replies
  • 2437 views
  • 2 likes
  • 5 in conversation