Question
Pegasystems Inc.
AU
Last activity: 18 Nov 2019 8:41 EST
Data encryption for decision data store in Pega internal Cassandra
The client is looking for guidance on the data encryption features on Cassandra. They want to know how to encrypt data at rest in Cassandra on Pega Marketing 7.3.1. Please advise the data encryption and the instruction on how this can be configured in the Pega's Cassandra component.
***Edited by Moderator Marissa to update SR Details***
Pegasystems Inc.
AU
Hi Nicolas,
Kindly follow the section "Configuring a Cassandra cluster for encryption" in the attached Pega Cassandra operations Guide.pdf.
Hope this helps in addressing your requirement.
Cheers,
Santhosh
Pegasystems Inc.
AU
Hi Santhosh,
Thanks for sharing Cassandra operation guide. There are some options for encrypting data in transit (between client and server or between server nodes).
However, I noticed that there is no mention of the option of encrypting data at rest in the doc, which is what the client was looking to do. Does it mean that encrypting data at rest is not supported by Pega Cassandra decision data store? Also i found the article below mentioned about separating Cassandra from DSM. Does it mean that Cassandra has to be separated from DSM in order to enable data encryption at rest?
https://collaborate.pega.com/question/how-cassandra-data-protected
Pegasystems Inc.
PL
Hi Nicolas,
let me understand your requirements a bit more. By saying "encrypting data at rest", do you have any particular DSM component in mind? Or is the requirement to universally encrypt all stored data?
As far as I know, currently there is no way to just "enable" data encryption for managed Cassandra. However, you can implement encryption at the application level, before saving data into DDS. Another possibility - depending on the setup - would be to use an encrypted file system for cassandra_data directory. Tagging @kaman and @NigelPeach
Keen on hearing more about your exact requirements
Pegasystems Inc.
GB
Hi Nicolas, I too would like to hear the details, I'm not aware of how you'd encrypt the data at rest other than using lower level OS/Hardware support ( which is what we do for Pega Cloud )
Pegasystems Inc.
AU
Hi @wtekiela, @NigelPeach,
Thank you for your response. The client's use case is to encrypt some of the PII data fields such as name, phone number, birthday, gender and etc stored in the decision data store which is a DSM component running on internal Cassandra. They understand the PII data in DDS is stored as files on the server and raised concerns about the data security as currently they encrypted all the data in MS SQL Server database using transparent data encryption. Do you mean that there is no way to encrypt data at rest in Cassandra DDS apart from 1) encrypting data at application level before saving it in DDS and 2) leveraging encrypted file system for cassandra_data directory?
I found an encryption option (transparent_data_encryption_options) in Cassandra.yaml file from some of the mesh articles. Is this option not supported by Pega-managed Cassandra?
Let me know if you have any further questions on the client requirements. Looking forward to your reply.
Thanks,
Nicolas Li
Pegasystems Inc.
PL
Hi, the setting that you've mentioned (transparent_data_encryption_options) is only available in Cassandra 3.11 and later. Pega 7.3.1 uses Cassandra 2.1, which does not support this option. Cassandra 3.11.3 is available as part of the platform since Pega 8.3.
Pegasystems Inc.
IN
@NicolasCLSA Tagging for visibility