Monday, September 14, 2015

What Is Database Encryption and Why Do We Need That?

Many a time, sensitive data like credit card numbers, social security numbers, medical records etc. are kept in the database. And we need to safeguard those data from data theft.

Normally to preserve data confidentiality in database, we enforce access control policies. But access control policies is not always enough for ensuring data protection. To give an example, an intruder can hack the information system and try to collect data from the data footprint on disks.

Database encryption is the process of converting the data within database into some ciphertext using encryption keys and suitable algorithm. Database encryption ensures even if the attackers break through the firewall and bypass the access control policies, they would need encryption keys to decipher the data.

Data encryption normally can be performed at various level – storage level, application level or database level.

Storage Level Encryption can encrypt data in files or directories in Operating System level. It is good enough to protect data at rest. But, the storage subsystem has no knowledge of database objects and structure. So, the encryption strategy cannot be related with user priviliges. Moreover, encrypting file selectively is quite risky, as one should ensure that no replica of sensitive data remains unencrypted.

In Application Level Encryption, data encryption is done within the application that introduces data in the database. Data is sent encrypted from the application to the database. As a result, it remains encrypted in the database and it gets decrypted again in the application layer, after retrieving from the database. But the problem with this technology is, applications need significant modifications to adopt this solution. Moreover, the attacker can hack the application and access unauthorized data. This solution induces performance overheads also.

Database level encryption ensures data protection while inserting or retrieving data from the database. Using this technology, selective encryption is possible and it can be done at various granularities like columns, tables etc. Moreover, the encryption keys can be stored in a restriced table or file, encrypted by a master key, ensuring even stronger protection.

So, for a database system, we prefer a Database Level Encryption. There are multiple technologies available for database level encryption, one such technology is Transparent Data Encryption.

Transparent Data Encryption solves the problem of protecting the data at rest, encrypting the data both on hard drive and backup media. It mainly encrypts the data in file level.

Transparent Data Encryption uses various keys to encrypt the data. Same key is used to encrypt columns in the table. And the different encryption keys are encrypted using the database server master key and stored in a dictionary table in the database.

Nowadays, various Originial Equipment Manufacturers (OEM) provide Transparent Data Encryption with database.

So, stay safe, protect your data in database!

No comments:

Post a Comment