9 Replies Latest reply on Dec 20, 2013 8:28 AM by Paurav Joshi

    Encrypt PI Data in Transit

    Paurav Joshi

      Hi,

       

      I want to encrypt PI Data before sending to 3rd party application server / PI Server. Is it possible? I want to use other option than to use PI Webservice or PI Cloud..

       

      Please reply as soon as possibe.

       

       

       

      Thanks,

       

      Paurav Joshi

        • Re: Encrypt PI Data in Transit

          Hello Paurav,

           

          Are you asking if any PI Data Access method offers encryption or are you asking on how to implement encryption when sending data to a 3rd party application?

           

          What would be your preferred Data Access method?

            • Re: Encrypt PI Data in Transit
              Paurav Joshi

              Hi Gregor,

               

              Sorry for late reply. My question is "how to implement encryption when sending data to a 3rd party application?" 

               

              My preferred data access method is through PI Interface.

                • Re: Encrypt PI Data in Transit

                  Hello Paurav,

                   

                  Communication between a custom application and a 3rd party application usually wouldn't involve any PI Data Access product. Hence I would suggest checking with the 3rd party application manual for information about how communication can be encrypted. The best encryption algorithm wouldn't help you if it is not understand by the party that you are talking to.

                   

                  PI Interfaces usually read data from "foreign" data sources and send them to one or more PI Server(s) (with n-way buffering). Some PI Interfaces also support outputs, meaning writes from PI to the "foreign" data source. If there's encryption supported by the 3rd party application, we would need to check with the manual of the corresponding PI Interface if it as well supports this encryption.

                   

                  What is the 3rd party application we are talking about?

                    • Re: Encrypt PI Data in Transit

                      Are you referring to streaming data or in batches?  And, we also have a new offering PI Cloud Connect which encrypts data - this is designed for exchanging PI data with third parties.

                        • Re: Encrypt PI Data in Transit
                          Paurav Joshi

                          @Gregor: We are dealing with web application hosting server as 3rd party application server. Thank you for your detail information about PI Interfaces.

                           

                          @Gopal: I know some of PI Cloud Connect Service. We are referring data in batches right now, may be streaming data in future. From my knowledge of PI Cloud Connect, it doesn't encrypt Data, but it encrypts the pipeline through which PI Data is transferred.

                           

                          So I like to use or digging up other method than PI Web Service or PI Cloud Connect. But it seems that I am lack of other way around for that.

                            • Re: Encrypt PI Data in Transit
                              mhamel

                              @Paurav: Have you considered IPSec tunnel in between the application server or foreign PI Server? This again will only encrypt the packets at the transport layer. To get more information on PI Cloud Services, take a look here.

                               

                              Could you explain exactly what you are looking for regarding the encryption of data? Are you trying to prevent certain users or departments of the foreign company to access data? Are you concerned by the transit of data via PI Cloud Services?

                               

                               

                                • Re: Encrypt PI Data in Transit
                                  Paurav Joshi

                                  Hi Mathieu,

                                   

                                  Thanks for your link, it provides good information.

                                   

                                  And about your questions :

                                   

                                  1. Could you explain exactly what you are looking for regarding the encryption of data?  

                                   

                                  What I am exactly looking is that when I transfer data b/w two servers I want data to be encrypted, the pure data, rather than encrypt the pipeline.

                                   

                                  2. Are you trying to prevent certain users or departments of the foreign company to access data?

                                   

                                  No no, this is not what I want to do.

                                   

                                  3. Are you concerned by the transit of data via PI Cloud Services?

                                   

                                  Answer is positive. The data is transferred via service bus of Azure providede by Microsoft. So I don't want to go with PI Cloud Service.

                                   

                                  What I'm asking is can I use some other method to transfer data in encypted mode to other server? From my conversation with techsupport, discussion held here and information I read from OsiSoft I got to know that currently there is no method which supporting these data to be encypted in transit .

                                    • Re: Encrypt PI Data in Transit
                                      mhamel

                                      @Paurav: Just for the benefit of others reading this thread, your answer from question 1 refers to message encryption. I am adding a comparison of both security mechanisms to shed some light on them.

                                       

                                      Transport security

                                       

                                      One limitation of transport security is that it relies on every “step” and participant in the network path having consistently configured security. In other words, if a message must travel through an intermediary before reaching its destination, there is no way to ensure that transport security has been enabled for the step after the intermediary (unless that intermediary is fully controlled by the original service provider). If that security is not faithfully reproduced, the data may be compromised downstream.

                                       

                                      Message security

                                       

                                      Message security focuses on ensuring the integrity and privacy of individual messages, without regard for the network. Through mechanisms such as encryption and signing via public and private keys, the message will be protected even if sent over an unprotected transport (such as plain HTTP).

                                       

                                      So, as explained in the FAQ of PI Cloud Services, there is not message encryption used but only transport one.