Database Encryption: Today's Challenge
Databases can be treasure troves of sensitive information. They can contain customers' personal data, confidential competitive information, and intellectual property. Lost or stolen data, especially customer data, can result in brand damage, competitive disadvantage, and serious fines—even lawsuits. Many of today’s privacy mandates require protecting data at rest, and the database is an obvious place where data accumulates and is potentially accessible to range of business systems and users. Organizations can choose to encrypt data at the application level, the database level, or the storage level. Encryption at the lowest of these levels, the storage level—on the disk or tape—guards against risk in the case where storage media are lost, but it does little to protect against malicious insiders or systems infected by malware . Application-level encryption on the other hand represents the other extreme by providing the highest degree of control, but it may not always be a viable approach. Because of these tradeoffs, many organizations are increasingly turning to database encryption as offering the best of both worlds when it comes to protecting data at rest—the protection goes further than storage level encryption and also avoids widespread changes in the application layer.
In the past, adding encryption to databases often triggered changes to database schemas, and could negatively impact performance-sensitive tasks such as searching and indexing. But today, many commercial databases support native encryption capabilities that can simply be turned on and deliver truly transparent protection. With database encryption in effect, only authorized applications can access decrypted data—other applications and administrators see encrypted data only. That means data can remain protected even in the event of certain data breaches. So why aren't more companies protecting their databases with encryption? They fear that encryption—and the accompanying encryption key management—might force a database upgrade, slow critical business processes, or worse still, block access to data in the event that keys are lost.
Risks Associated with Database Encryption
- Malicious insiders and system administrators could access both encrypted data and encryption keys, giving them access to clear text data, unless keys are deliberately isolated in a dedicated key management system.
- Applications that have legitimate access rights and yet are infected with malware can still access confidential data.
- Multiple database instances will typically require access to the same keys, driving up the costs of provisioning and rotating keys in a coordinated fashion.
- Key loss can render data unavailable, since decryption would be impossible—disrupting business operations.
- Super-users with broad access rights can subvert and potentially disable encryption controls unless suitable checks and balances are put in place.
Database Encryption: Thales e-Security Solutions
Products and services from Thales e-Security can add new levels of assurance to database encryption by helping your organization effectively protect and manage encryption keys. With nShield hardware security modules (HSMs), you can take full advantage of native database encryption capabilities and still add higher levels of assurance to key management activities, ensuring optimal security, efficiency, and guaranteed accessibility to encrypted data. By storing encryption keys in a protected environment, separate from the database itself, nShield HSMs enforce separation of duties between security staff and DBAs. Even if your DBMS does not offer native support for encryption, Thales can still help you deploy a high assurance database encryption solution that incorporates third-party encryption products from Thales’ technology partners and HSMs.
- Ensure guaranteed access to encrypted data by authorized users by automating storage and back-up for mission critical master encryption keys.
- Simplify data privacy compliance obligations and reporting activities through the use of a security-certified encryption and key management to enforce critical best practices and other standards of due care.
- Enforce separation of duties by isolating master encryption keys from encrypted data—reducing the threat of insider attacks.
- Maximize efficiency by reducing administration costs associated with managing keys in large-scale database environments with Thales’ industry-leading Security World key management architecture.
- Deploy with confidence and accelerate implementation projects; Thales HSMs integrate easily with leading database management systems, featuring out-of-the-box integration with Transparent Data Encryption from Microsoft, and integration with other leading DBMS solutions via technology partners including Voltage and Prime Factors.