I must tell you up front, I am not a fan of anything 3rd party if the 1st party can do it. Tools must truly be value-added propositions, or they don’t fly with me. In our users group presentation last night, I found myself wanting desperately to be working as the DBA at “that company” which was described as having all sorts of problems that Hexatier would solve. The situation described that made this tool the solution would not have happened with my database. True, at least to a degree. Some of the speaker’s recent experience described a DBA and a couple of developers as people who needed to be slapped. In his example, the DBA was at fault for not restricting the access. We’re talking about a product that is HIPAA-compliant here, so the lack of procedures, rules, policies, basically, lack of control, to keep that from happening, would make it NOT compliant. In this respect, the tool is fixing a problem that does not exist.
I am also an advocate for small business and while I do my best to follow the law, I do not fully accept the copyright, patent and trademark systems (laws) as entirely proper. They’re law. I inherently object to a patented implementation of a common idea as something I’m willing to buy in to… unless it meets the first rule, and adds value. Otherwise, I would have to look at what it does, how it does it, and do it myself; hopefully, avoiding any copyright infringement.
I mean to say, that’s the system. These common ideas are captured in a legal format that means “don’t use them”; but, you can’t win in business if you don’t, so you use them. Nothing happens if you’re mildly successful, or at least privately successful; but, you make it in a big way, and you’re sued into oblivion; whether you knew of the patent, or not. The laws stifle individual creativity.
That said, the visual encryption by Hexatier of data is interesting. Whether it is sufficient, or still requires other steps of encryption beneath, and the related key management requirements, remains to be seen. This could be value-added.
The times required to move a system forward into an encrypted environment was estimated at 12 to 18 months. The time to back out, if the solution were found unacceptable, was another six months.
With Hexatier’s “dynamic” encryption, and the ability to back out instantly, that is definitely a leg up… if it is truly considered to be HIPAA-compliant solution. Again? Value added?
Then, there is their scan tool. It finds propagated sensitive data, and reports it. This sounds pretty slick, down to and including the ability not only to distinguish the format of a number (e.g., 012-34-5678 as an SSN); but, also whether it is a valid SSN, or a bogus one.
Clearly, I do not understand the math that pulls that one off without a lookup somewhere. So, the Hexatier tool does some neat things, and I might want to see some of them in operation. The product is available in the AWS Marketplace, and there is a check box for a trial offer.
The Hexatier product was worth looking at and understanding. I am concerned about DB rules, tool rules, and CloudFormation rules, and how and where to use them, and for that matter, who should use them. A lot of this is defined in the big HIPAA picture, the separation of duties, for instance, is not up to the DBA to establish. It is part of a statement in a document and practiced procedures which have been audited and will be audited again regularly.
Hopefully, your DBA is nowhere near as bad as in the example given; but, I question if the DBA that got you here should be the one implementing this tool, or your database, for that matter.
Hire me for four to six months to straighten things out. Then we can talk about tools which may or may not be needed.