Data at rest

To meet the requirements of GDPR, the data that are commonly stored in databases must be encrypted. When installing OneSpan Authentication Server, you can choose between a Basic installation option that uses an embedded database and an Advanced installation option. At this stage, you can either select MariaDB or configure your own custom database.

Before you proceed with the Advanced installation option of OneSpan Authentication Server, you must correctly configure the ODBC drivers of the respective database.

If your organization is impacted by the General Data Protection Regulation (GDPR) and you select the Advanced installation option, you must ensure that the GDPR requirements are met, and that the database and its connections are adequately encrypted!

Data between the OneSpan Authentication Server service and the data store

OneSpan Authentication Server connects to the ODBC data store using ODBC drivers. An SSL tunnel needs to be set up between the ODBC driver and the ODBC DBMS. For more information about configuring the ODBC drivers with the ODBC DBMS, refer to the product documentation of your DBMS.

OneSpan Authentication Server supports the use of the following ODBC databases as its data store:

  • MariaDB 10.11.5

    OneSpan Authentication Server is fully compatible with data-at-rest encryption as provided by MariaDB.

  • Oracle Database 19c

    OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Oracle Database to protect data at rest (tablespace encryption).

  • Microsoft SQL Server

    • Microsoft SQL Server 2022
    • Microsoft SQL Server 2019
    • Microsoft SQL Server 2017
    • Microsoft SQL Server 2016

    OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Microsoft SQL Server to protect data at rest.

Embedded MariaDB database

If you select the embedded database for the Basic installation, a window will prompt to ask whether or not you want to enable encryption for the embedded database store and database connections. If you click Yes, MariaDB will be installed and configured by default to meet the standards of this European Union regulation.

If you click No in the OneSpan Authentication Server Installation Wizard, you must manually encrypt the database store and database connections to be GDPR-compliant.

For more detailed information about MariaDB and data-at-rest encryption, refer to the OneSpan Authentication Server Installation Guide for Linux, the OneSpan Authentication Server Installation Guide for Windows, the OneSpan Authentication Server Administrator Guide, and the MariaDB product documentation.

External database

When opting for the Advanced installation of OneSpan Authentication Server, you can use MariaDB, Oracle Database, or Microsoft SQL Server as the main data store. It is your organization's responsibility to provide encryption for any of the mentioned data stores. Automatic setup is supported for MariaDB.

Transparent Data Encryption (TDE)

Transparent Data Encryption allows the encryption of databases at file level.

For more detailed information about encrypting Oracle and Microsoft SQL Server databases with Transparent Data Encryption, refer to the OneSpan Authentication Server Administrator Guide.

Features not supporting encryption (data at rest)

When selecting an Advanced installation in the OneSpan Authentication Server Installation Wizard, certain features in OneSpan Authentication Server do not support encryption. Additional steps are required to be GDPR-compliant.

Auditing for OneSpan Authentication Server

If auditing is performed via syslog, Windows Event Log, or text file, it is your organization's responsibility to ensure the security of the data.

Text file

The text file is not encrypted by OneSpan Authentication Server. If auditing is to be performed via a text file, your organization must ensure that the folder or the database storing this information is encrypted.

You should only store data about customers that is required. Data that no longer serve a purpose should be deleted. Placeholders for time and date can be used for log file names to implement log rotation and implicit deletion of data no longer needed.

For more information about placeholders, refer to the OneSpan Authentication Server Administrator Reference.

For more information about data erasure, see Erasure of personal data in OneSpan Authentication Server.

Syslog (Linux)/Windows Event Log (Windows)

By default, the system log events are stored locally. In this case, the local folder storing these must be encrypted. If event logs are configured to be stored on a remote location, then the remote location containing the log files has to be encrypted (either by encrypting the hard disk or the respective folder).

The auditing output from OneSpan Authentication Server can be configured using the Configuration Utility.

When using auditing, do the following:

  • Use database auditing to an encrypted database
  • Use hard disk or folder level encryption to protect audit text files and logs

Trace files

OneSpan Authentication Server offers tracing for troubleshooting purposes. The level of tracing used by OneSpan Authentication Server can be configured using the OneSpan Authentication Server Configuration Utility. These tracing messages are written to text files, and either the folder or the hard disk containing the data will have to be encrypted.

We strongly recommend to use the tracing feature only for troubleshooting purposes, and to disable tracing when OneSpan Authentication Server is used in production mode to enhance server performance.

For more information about configuring tracing for OneSpan Authentication Server, refer to the OneSpan Authentication Server Administrator Reference, Section "Tracing".

Replication

Replication can be configured to allow multiple OneSpan Authentication Server instances to keep their data synchronized and ensure consistency. OneSpan Authentication Server replicates entire records, rather than individual record attributes. When multiple OneSpan Authentication Server instances use different ODBC databases as their data stores, replication ensures that each database is up to date with the latest data changes.

The data that is to be replicated is temporarily stored in a SQLite database, and then transferred via messages over the SEAL protocol to its destination server. The data that is temporarily stored on the disk is not encrypted by OneSpan Authentication Server. To be GDPR-compliant, we recommend to encrypt the folder or the hard disk.

For more information, refer to the OneSpan Authentication Server Administrator Guide, Section "Replication".