4-page Case Study
Posted: 7/10/2013
137
Rate This Evidence:

LG Display Enterprise wide response to Privacy Protection Act with TDE in SQL Server

To comply with the Privacy Protection Act, LG Display undertook a project to organize its data platform environment at the enterprise-level. As its first step, they had their systems evaluated by security consultants to understand current state of personal information retention. The 2012 encryption project was then kicked off with, first, any data deemed unnecessary being deleted, and designated servers which required encryption. For this project, LG Display chose to make use of TDE, a feature built into SQL Server and thus not requiring use of a third-party solution. Given the intricate nature of the numerous systems involved in storing and safeguarding personal information, bringing in a third-party system would have only aggravated the complexity. With the decision taken to simplify its systems, LG Display put in place a governing policy to encrypt DB with TDE and make use of the current solution for access control. As a result, LG Display was able to keep changes in the enterprise data platform environment to a minimum, while increasing the level of encryption and thus bolstering its security. In addition, the company was able to be thoroughly prepared for compliance with Privacy Protection Act before it had come into effect.

“With TDE, we can clearly locate the responsibility and accountability. For instance, we have to call many vendors including DB solution providers when using a third-party solution. With TDE, though, we don't have to call anyone else: we deal with a single vendor. From the point of view of the company, adopting a new solution means that we have to find extra human resources. However, TDE has enabled us to respond to Privacy Protection Act without increasing personnel as the DB manager is now able to handle encryption-related work"
                                                                                                                      -Kang Seongyun, LG Display EA Team-


Situation

LG Display prepared fully and in advance for compliance with Privacy Protection Act at the enterprise level. They first began responding to the requirements of the Privacy Protection Act in 2011through implementing a security consulting service. The initial focus was to establish a standard for systems subject to the Privacy Protection Act as a way to determine the scope of their encryption project.

The consultations around enterprise security uncovered a number of surprises to LG Display, as the systems subject to the Act were far more than expected. After picking from the recommendations appropriate systems, they further sub-selected systems that actually needed to be encrypted due to unnecessary storage on them of personal information. LG Display worked with experts from various fields such as security, application and development, to delete all non-critical personal information. They then listed systems which needed to handle personal information for business purposes – and it was these systems which became the subject of the encryption project.

LG Display was then faced with the task of deciding which technology would be the most suitable. This was not easy due to a glut of relevant solutions in the market in the wake of the Privacy Protection Act. LG Display broke the question down into two overarching approaches. The first approach was to make use of the built-in encryption feature in DB and the second approach was to adopt the encryption solution provided by the domestic security solution providers. They examined the two approaches from all angles from performance to convenience in maintenance. After much debate, they opted for TDE (Transparent Data Encryption).

“It was difficult to read much into the performance evaluation as it was not easy to set up an objective standard. When it comes to a third-party solution, we were not able to guarantee compatibility unless we adopted a solution provided by a single vendor. We could have adopted one specific solution, but it would resulted in another thing to manage, diluting accountability in cases of system failure. Considering the complex setup, the rational choice was to use TDE built in DB", said Kang Seongyun, Deputy Head of LG Display EA Team.

Solution

In 2012, LG Display carried forward with the DB encryption project with Microsoft SQL Server as the subject. In promoting this project, LG Display decided to make use of DB built-in features for encryption and audit, while using the current solution for access control. Though LG Display could have used instances in DB and access control features for the columns in the table, they instead decided to make use of the existing access control tool in order to minimize changes to the enterprise DB platform.

The encryption project promoted in 2012 targeted dozens of system DB. Yet, it was Microsoft SQL Server-based systems which went through DB upgrade as the pre-project phase. As most systems were based on SQL Server 2000, they had to be upgraded in order to make use of TDE feature. While upgrading the old 2000 version to SQL Server 2012 Enterprise Edition, LG Display carried out DB encryption on a case-by-case basis. What they cared about most in this project was having the departments involved cooperate well together. “Many departments including security, management and development agreed to work together for this project. In close cooperation, we carried out DB upgrade, tuning and code-level application improvement, as needed”, said Kang Seongyun, Deputy Head.

Microsoft Korea contributed a great deal to this process. LG Display worked with engineers from Microsoft Korea on DB tuning. This was in order to minimize any performance losses that might have been caused by DB encryption. As a result, they were able to mitigate inconvenience among on-site users after DB encryption.

In early 2013, LG Display completed the encryption of their main systems. They quickly followed this up with the development of their Privacy Protection Act-related status management system and directory service duplexing. As their next project, they plan to undertake the maintenance of a centralized encryption key management system. This is with a view to performing the operation and management system at enterprise level rather than at unit system-level, given that they have standardized the application standard for encryption with TDE.

Benefits

Set enterprise-wide best practice for encryption

In the course of encrypting dozens of system, LG Display was able to establish Best Practice available for further reference when demand rises. This Best Practice is its ‘Patent Management System’, which was chosen for encryption through this project as it contains highly sensitive information about patent applicants and external users.

This system used to be managed by each department as necessary, rather than by the IT department. Whenever a new requirement arose, the new development had to be carried out, inevitably leading to performance issues cropping up. Plus, with different developers being assigned to work on every project, rather than one developer having responsibility for the system development, a bottleneck in performance was caused. This was part of the rationale for LG Display’s decision to go ahead with a physical-level upgrade after the system encryption in 2012.

LG Display upgraded their patent management system DB to SQL Server 2012 Enterprise Edition in the second half of 2012. While doing so, they worked on what users complained about most - the slow speed of the system. The results were better than expected. For this reason, LG Display members agreed on taking Patent Management System as Best Practice for further systems which also require the personal information on them to be protected.

“The Patent Management System was upgraded at application-level to the extent that it passed DB tuning. This resulted in an unexpected improvement in performance. As this was realized without the need to modify the source code on a large scale, we did not have to push ahead with the hardware replacement scheduled for 2013. We are now considering carrying out a further project based on what we achieved here”, said Kang Seongyin, Deputy Head.

Clarity over responsibility and accountability

With TDE in SQL Server 2012 Enterprise Edition as the standard encryption technique for compliance with Privacy Protection Act at enterprise-level, LG Display expects to enjoy many benefits from 'this standardization’. Above all, they are now able to have clarity over responsibility and management.

One thing that LG Display cleared up in establishing the counterstrategy for compliance with Privacy Protection Act was to ‘not have a third-part solution’. Using such solutions whenever a new regulation comes into effect carries the advantage of being able to help bring a prompt response at the unit business-level. However, from the point of view of the enterprise, there is a disadvantage to having more items on management’s radar. LG Display figured that the most effective way to respond to Privacy Protection Act is to implement a management and control mechanism at the enterprise level while, at the same time, keeping the management of the existing data platform as simple as it is now.

“With TDE, we can clearly locate the responsibility and accountability. For instance, we have to call many vendors including DB solution providers when using a third-party solution. With TDE, though, we don't have to call anyone else: we deal with a single vendor. From the point of view of the company, adopting a new solution means that we have to find extra human resources. However, TDE has enabled us to respond to Privacy Protection Act without increasing personnel as the DB manager is now able to handle encryption-related work", said Kang Seongyun, Deputy Head.

Significant cost-savings

With TDE as the enterprise DB encryption standard, LG Display was able to reap significant cost savings. In line with the version upgrade of the old SQL Server, the cost-saving effect became more practical because they carried out both version upgrades and encryption, without having to spend extra for adopting a third-part solution. Such cost-saving benefit is expected to increase whenever there is a demand for encryption. For reference, SQL Server 2012 Enterprise Edition offers the in-built functionalities required for compliance with Privacy Protection Act, including TDE, encryption key and authentication management, together with instance and data base audit.

Establish the standard for DB adoption

Meanwhile, LG Display has established a new DB evaluation standard. Through this project, LG Display was able to understand the status of all DB and figure out what to improve in terms other than security. LG Display plans to apply this new evaluation standard when planning future DB upgrades or new systems development across its departments. “With this Privacy Protection Act compliance project, we established a management standard for small and medium-sized DB. From now on, we plan to encourage the use of SQL Server for small DB, rather than Oracle, as SQL Server provides more benefits in terms of maintenance cost”, said Kang Seongyun, Deputy Head.

Microsoft Server Product Portfolio

www.microsoft.com/servers

For More Information

For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers in the United States and Canada who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:

www.microsoft.com

For more information about LG Display’s products and services, visit the website at:

www.lgdisplay.com

This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Solution Overview



Organization Size: 35000 employees

Organization Profile

LG Display is a global company and leader in the medium and large-size display industry with products including monitors, laptops and TVs. LG Display is also a leader in next-generation displays, such as those used for all kinds of small devices, OLED and flexible devices.


Business Situation

The Privacy Protection Act came into force in September, 2011. To comply with consequent changes in policy, LG Display had to carry out DB encryption on systems in which personal information is stored.


Solution

For this, LG Display upgraded all its existing SQL Server 2000-based systems to SQL Server 2012 Enterprise Edition and encrypted DB with TDE, the default feature provided with SQL Server 2012. Such changes have meant the company had successfully completed its preparation for compliance with Privacy Protection Act before it came into effect.


Benefits

  • Set enterprise-wide best practice for encryption
  • Clarity over responsibility and accountability
  • Significant cost-savings
  • Establish the standard for DB adoption


Software and Services
  • Microsoft SQL Server
  • Microsoft SQL Server Technologies

Vertical Industries
High Tech & Electronics

Country/Region
Korea

Business Need
Identity and Security

IT Issue
Identity, Security and Access Management

Languages
English

RSS