Educational Testing Service Transparently Encrypts Sensitive Information of Millions of Customers
 
 

Educational Testing Service Transparently Encrypts Sensitive Information of Millions of Customers

Printer View Printer View

Educational Testing Service (ETS) creates and administers the GRE General Test, the Test of English as a Foreign Language (TOEFL), Test of English for International Communication (TOEIC), the College Board's SAT, and is one of the world's largest private testing and research organizations. The not-for-profit group develops and administers more than 50 million achievement, admissions, academic, and professional tests yearly, at nearly 10,000 locations in more than 180 countries.

ETS had to adapt to changes in the regulatory landscape that specify the use of encryption to protect sensitive information collected from its millions of yearly test takers.

The company reduced risk by deploying Oracle Advanced Security into its Oracle Database environment to secure personally identifiable information, including social security and credit card numbers. By using Oracle Advanced Security with Transparent Data Encryption, ETS was able to save significant time and money by addressing two key requirements: no application changes and negligible performance overhead. It now successfully encrypts data-at-rest and on backups to a storage area network.

 
 

 
 

Challenges

A word from Educational Testing Service

  • “We’re very pleased with Oracle Advanced Security with Transparent Data Encryption because it enables us to encrypt all application data stored in our database and protect our database backups. The solution was simple to implement—since there were no changes to our applications—and it included essential capabilities, such as key management." – Brad Peiffer, Director of IT, Educational Testing Service

  • Secure sensitive and regulated data for millions of customers (academic test takers) to comply with state security breach notification laws and payment card industry data security standards (PCI-DSS) that specify encryption for data-at-rest and on backups
  • Implement encryption without costly and time-consuming modifications to application code
  • Maintain the performance of existing systems that include processes that can take as long as 5 to 10 hours to complete, even without encryption
  • Simplify IT administration processes for periodic encryption key rotation to maintain regulatory compliance

Solutions

Oracle Product and Services

  • Protected regulated test-taker data—including credit card numbers—with Oracle Advanced Security to comply with multiple data protection regulations, including PCI-DSS
  • Deployed Oracle Advanced Security with Oracle transparent data encryption in a matter of weeks, since no application changes were required
  • Encrypted production data with less than 2% impact on system performance
  • Used Oracle transparent data encryption’s built-in key management with two-tier key architecture for separation of duties 
  • Implemented master key rotation policies without needing to decrypt and re-encrypt data, which results in down time or disruption to operations.
  • Saved backup time and storage space with the integration between Oracle Advanced Security and Oracle’s RMAN backup utility, which ensures data is compressed before it is encrypted and backed up to a storage area network

Resources