Question

Data encryption for decision data store in Pega internal Cassandra

The client is looking for guidance on the data encryption features on Cassandra. They want to know how to encrypt data at rest in Cassandra on Pega Marketing 7.3.1. Please advise the data encryption and the instruction on how this can be configured in the Pega's Cassandra component.

***Edited by Moderator Marissa to update SR Details***

Group Tags

Comments

Keep up to date on this post and subscribe to comments

November 11, 2019 - 8:59am

Hi Nicolas,

Kindly follow the section "Configuring a Cassandra cluster for encryption" in the attached Pega Cassandra operations Guide.pdf.

Hope this helps in addressing your requirement.

Cheers,

Santhosh

November 11, 2019 - 6:23pm
Response to Santhosh_Holla

Hi Santhosh,

Thanks for sharing Cassandra operation guide. There are some options for encrypting data in transit (between client and server or between server nodes).

However, I noticed that there is no mention of the option of encrypting data at rest in the doc, which is what the client was looking to do. Does it mean that encrypting data at rest is not supported by Pega Cassandra decision data store? Also i found the article below mentioned about separating Cassandra from DSM. Does it mean that Cassandra has to be separated from DSM in order to enable data encryption at rest?

 

https://community1.pega.com/community/product-support/question/how-cassandra-data-protected

 

Mod
November 14, 2019 - 9:55am

Tagging @wtekiela who might have more inputs to share.

Lochana | Community Moderator | Pegasystems Inc.

Pega
November 14, 2019 - 11:47am

Hi Nicolas,

let me understand your requirements a bit more. By saying "encrypting data at rest", do you have any particular DSM component in mind? Or is the requirement to universally encrypt all stored data?

As far as I know, currently there is no way to just "enable" data encryption for managed Cassandra. However, you can implement encryption at the application level, before saving data into DDS. Another possibility - depending on the setup - would be to use an encrypted file system for cassandra_data directory. Tagging @kaman and @NigelPeach

Keen on hearing more about your exact requirements

Pega
November 14, 2019 - 12:26pm
Response to wtekiela

Hi Nicolas, I too would like to hear the details, I'm not aware of how you'd encrypt the data at rest other than using lower level OS/Hardware support ( which is what we do for Pega Cloud )

November 15, 2019 - 9:08pm

Hi @wtekiela, @NigelPeach,

Thank you for your response. The client's use case is to encrypt some of the PII data fields such as name, phone number, birthday, gender and etc stored in the decision data store which is a DSM component running on internal Cassandra. They understand the PII data in DDS is stored as files on the server and raised concerns about the data security as currently they encrypted all the data in MS SQL Server database using transparent data encryption. Do you mean that there is no way to encrypt data at rest in Cassandra DDS apart from 1) encrypting data at application level before saving it in DDS and 2) leveraging encrypted file system for cassandra_data directory?

I found an encryption option (transparent_data_encryption_options) in Cassandra.yaml file from some of the mesh articles. Is this option not supported by Pega-managed Cassandra?

Let me know if you have any further questions on the client requirements. Looking forward to your reply.

Thanks,

Nicolas Li

Pega
November 18, 2019 - 4:30am

Hi, the setting that you've mentioned (transparent_data_encryption_options) is only available in Cassandra 3.11 and later. Pega 7.3.1 uses Cassandra 2.1, which does not support this option. Cassandra 3.11.3 is available as part of the platform since Pega 8.3.