03-27-2017 03:32 AM
Hello I will apologise upfront for my lack of SAS knowledge but I will present you with my issue and hopefully there is a simple solution. The IT Security team has asked that our internal SAS server encrypts data when at rest to AES 256 SHA2 standard.
SAS/Secure168bit & SAS/SecureWindows are installed & licenced on ther server.
I have read through the document Encryption in SAS 9.4 Sixth Edition and believe I have found the command to apply.
signon machine.unxspawn user=_prompt_;
so here are my questions :-
1) Is this the correct code to activate encryption?
2) Where do I run this in SAS or in windows?
Any help would be appreciated.
03-27-2017 04:19 AM
"encrypts data when at rest"
Are they actually asking to encrypt all SAS datasets as stored on disk?
03-27-2017 04:41 AM
The information is good if we ensure the users complete the encryption. I probably was not clear but the encryption needs to be automatically applied when users create files so I am looking for an admin way of turning in encryption.
03-27-2017 05:24 AM
I don't think SAS has an option for this.
How is that security enforced on the other server systems in your organization?
03-27-2017 07:42 AM
The question for the other servers is
- what is encrypted (everything, certain file systems, user's directories, user's files,...)
- and how is it done (password, public/private key, etc)
03-27-2017 12:38 PM
According to this snippet from the referred document:
Beginning with the first maintenance release of 9.4, a metadata-bound library administrator can require that all data files in the bound library be encrypted with one of the two algorithms. For more information, see Requiring Encryption for Metadata-Bound Data Sets in Base SAS Procedures Guide and SAS Guide to Metadata-Bound Libraries.
you can actually force datasets to be encrypted as long as they are metadata-bound, which is a good practice for vital datasets anyway.
03-28-2017 02:29 AM
Good find, @TomKari. That should solve the problem for datasets, but if the IT people of the OP want all data encrypted (like input files copied to the server or files for export), I don't think one can force this from SAS.
03-28-2017 04:54 AM - edited 03-28-2017 06:52 AM
This is definitely not my area of expertise so just throwing some thoughts.
When reading your requirement I was immediately thinking: Why the heck make that a responsibility of the application layer with all the overhead it creates. What about hardware encryption? And then with some brief Googling a Wikipedia article came up - I know, that's only a starting point and needs verification, but still...
Here the article: https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption
And from this article: "The two main use cases are Data at Rest protection, and Cryptographic Disk Erasure."
So... I believe it might be worth to investigate a bit further and then eventually push back and tell "IT" that they need to get their own "something" sorted instead of trying to make this a problem of the application layer.
This sounds to me mainly like a data storage security requirement to be solved on an IT infrastructure level.
03-28-2017 05:18 AM - edited 03-28-2017 07:15 AM
On top of that, anytime a user creates a directory and uses it in a libname statement, they can create unencrypted datasets on their own.
So if encryption is really needed, it needs to be done on the file-system or disk level.
03-28-2017 08:14 AM
Yes, @KurtBremser I agree that this may not accomplish everything they need. It's a really tricky problem statement; it'll probably come down to details.
As you say, they may have to resort to O/S encryption.
04-03-2017 04:59 AM - edited 04-03-2017 05:03 AM
I have to relativate some of the statements I've made earlier.
The one significant thing I've missed with metadata bound libraries:
Once defined there is no way one can use SAS to create tables which are not metadata bound. I'm rather impressed how this has been implemented :-)
I've just done some testing where I've defined a metadata bound library with AES encription. I've then used a user I've given access to this library to copy sashelp.class to this library (via SAS EG).
Then I've used PC SAS and issued the following code (using a different libref but pointing to the path defined as metadata bound):
libname testit 'd:\test'; data testit.classTWO; set sashelp.class; run;
And that's what happened:
So yes, metadata bound libraries won't prevent a user from creating new folders BUT it will prevent users from creating insecured data in defined folders.
If hardware encryption is not an option then one could go for an approach where users are not allowed to create folders (on OS level) and there are secured libraries for all defined folders.
04-07-2017 08:35 AM
Thank you for all the advice and sorry for not replying sooner. I have been looking into the metadata bound libraries. I did a test on one library and this did encrypt all the SAS datasets and prevents opening in Notepad etc. The issue , which may be of my own doing, is that I can now not save any new datasets to the metadata bound library. The library still appears in Libraries under SASAPP in EG but i can not assign it.
The library or rather file does appear lower down uder Files\ Drivename\ SASWORK\ Folder . I can see all the SAS datasets, programs and other documents here and open them in EG. So my issue is am i creating the metadata bound library correctly or missing a step to allow the library to be assigned so I can save more datasets there?
I have full access to the library in the DataLibrary Manger so write and read metadata is allowed. Any help would be appreciated. I will not be replying for a week as I go on holiday until after Easter.