My boss asked me to get an idea about MarkLogic customer usage of encryption at rest. The product has offered encryption-at-rest since sever version 9: https://help.marklogic.com/knowledgebase/article/View/encryption-at-rest My company is considering the pros & cons. I'll likely reach out to ML customer success team also, but I'm hoping for actual customer feedback too. I'm confident that it's technically feasible, but I'd love some feedback on: how easy / hard to implement? how much was run-time performance impacted? any "gotchas / surprises" with migration to encryption? Also, did you implement external or internal key management?: https://help.marklogic.com/Knowledgebase/Article/View/encryption-at-rest-with-an-external-kms-in-marklogic In our case we don't have any PCI or HIPAA data & just little PII (names & email addresses). Our database servers are all hosted in private subnets, so the perimeter security isn't bad. In the past we decided the "juice wasn't worth the squeeze" to encrypt-at-rest. Now a recent consulting assessment suggests we consider it (again). Thanks in advance for any feedback you can offer!

Reputation: 11

MarkLogic customers using encryption at rest? Feedback appreciated

My boss asked me to get an idea about MarkLogic customer usage of encryption at rest. The product has offered encryption-at-rest since sever version 9: https://help.marklogic.com/knowledgebase/article/View/encryption-at-rest

My company is considering the pros & cons. I'll likely reach out to ML customer success team also, but I'm hoping for actual customer feedback too. I'm confident that it's technically feasible, but I'd love some feedback on:

how easy / hard to implement?
how much was run-time performance impacted?
any "gotchas / surprises" with migration to encryption?

Also, did you implement external or internal key management?: https://help.marklogic.com/Knowledgebase/Article/View/encryption-at-rest-with-an-external-kms-in-marklogic

In our case we don't have any PCI or HIPAA data & just little PII (names & email addresses). Our database servers are all hosted in private subnets, so the perimeter security isn't bad. In the past we decided the "juice wasn't worth the squeeze" to encrypt-at-rest. Now a recent consulting assessment suggests we consider it (again).

Thanks in advance for any feedback you can offer!

Upvotes: 1

Answers (2)

DALDEI

Reputation: 3732

You can 'move the problem' around by using whole disk encryption. Since your on AWS, you can use EBS encryption, or you can DIY it on ephemeral. This should allow memory mapped OS access to the files without needing more RAM (EBS), or maybe not as much more (ephemeral, depending on whole-disk encryption SW used).

A key advantage of ML encryption-at-rest, which if you dont need, you dont need ... is that its NOT whole disk encryption, its Forest encryption. There are some use cases where that is important, and others where it is not.

Upvotes: 1

Mads Hansen

Reputation: 66783

Something that may be a "surprise" is how memory demands and utilization can change.

Range indexes are normally (when unencrypted) memory-mapped files that are treated as if they were in-memory, but rely on the OS to transparently read, and leverage the file cache and buffers.

With encryption at rest, range index memory that is normally file is ANON instead. Range index files need to be decrypted on read and that information held in memory. This changes how the information is accessed and it will need to use more ANON. And because it is now in ANON, when memory is low it can/will use swap more often than it would in a system that does not have encryption at rest.

Upvotes: 1

MarkLogic customers using encryption at rest? Feedback appreciated

Answers (2)

Related Questions