April 23, 2018

Choosing the Right Encryption Approach for RDBMS

Sometimes, specially now a days when people are planning to move to cloud, security is one of the key factor, and in my experience, what I saw is the cloud architect tries to sell the full disk encryption as a solution for all applications, databases etc. Which in my opinion, is absolutely incorrect.

The goal of this post is to evaluate, at a higher level, different encryption approach for different scenario (specially RDBMS) to better inform the decision making process.


Full-disk encryption (FDE): Full-disk encryption (FDE) and self-encrypting drives (SED) encrypt data as it is written to the disk and decrypt data as it is read off the disk.
  • Advantages:
    • Simplest method of deploying encryption
    • Transparent to applications, databases, and users.
  • Limitations:
    • Addresses a very limited set of threats—protects only from physical loss of storage media.
    • Lacks safeguards against advanced persistent threats (APTs), malicious insiders, or external attackers.
    • Meets minimal compliance requirements.
    • Doesn’t offer granular access audit logs.
  • Key Takeaways:
    • Mainstream cloud providers offer the functional equivalent of FDE with its attendant limitations listed above.
    • FDE makes sense for laptops, which are highly susceptible to loss or theft. But FDE isn’t suitable for the most common risks faced in data center and cloud environments


File-Level encryption: File-Level encryption approaches offer security controls by employing software agents that are installed within the operating system. The agents intercept all read and write calls to disks and then apply policies to determine if the data should be encrypted or decrypted. The more mature file-system encryption products offer strong policy-based access controls, including for privileged users and processes, and granular logging capabilities.
  • Advantages:
    • Transparent to users and applications, meaning organizations don’t have to customize applications or change associated business processes.
    • File level encryption supports both structured and unstructured data.
    • Establishes strong controls that guard against abuse by privileged users and that meet common compliance requirements.
    • Offers granular file access logs and SIEM integration that can be used for security intelligence and compliance reporting.
  • Limitations:
    • Encryption agents are specific to operating systems, so it is important to ensure the solution selected offers coverage of a broad set of Windows, Linux, and Unix platforms.
  • Key Takeaways:
    • For many organizations and purposes, file encryption represents the optimal approach. Its broad protections support the vast majority of use cases, and it is easy to deploy and operate.


Database Encryption (TDE): This approach enables security teams to encrypt a specific subset of data within the database or the entire database file. This category includes solutions from multiple database vendors that are known as transparent data encryption (TDE).
  • Advantages:
    • Safeguards data in databases, which are critical repositories.
    • Establishes strong safeguards against a range of threats, including malicious insiders—even in some cases a malicious database administrator.
  • Limitations:
    • Only encrypts columns, tables, datafiles of a database, leaving configuration files, system logs exposed.
  • Key Takeaways:
    • While database encryption technologies can meet specific, tactical requirements, they don’t enable organizations to address security across heterogeneous environments. As a result, they can leave organizations with significant security gaps since this type of encryption only addresses databases, not applications.


Application Encryption: When employing this approach, application logic is added to govern the encryption or tokenization, of data from within the application.
  • Advantages:
    • Secures specific subsets of data, such as fields in a database.
    • Encryption and decryption occur at the application layer, which means data can be encrypted before it is transmitted and stored.
    • Offers highest level of security, providing protections against malicious DBAs and SQL-injection attacks.
    • Tokenization can also significantly reduce PCI DSS compliance costs and administrative overhead.
  • Limitations:
    • These approaches need to be integrated with the application, and therefore require development effort and resources.
  • Key Takeaways:
    • These approaches may be optimal in cases in which security policies or compliance mandates require specific sets of data to be secured. In addition, variants of application-layer encryption, including tokenization and format-preserving encryption, can help reduce the impact on databases.
    • Look for solutions with well-documented, standards-based APIs and sample code to simplify application development.


Summary: For Database Driven Applications, it is best (without any doubt) to use either –
    • TDE and related RDBMS encryption solutions
    • Application Level Encryption


1 comment:

  1. I read tһiѕ article fᥙlly concerning the resemblance оf hottest аnd pгevious technologies, іt'ѕ remarkable article.

    ReplyDelete