Harvey Ewing, senior director of IT security at Carrollton, Texas-based Accor North America, which owns and operates about 1,200 hotel properties in the U.S., Canada and Mexico, chose RSA Key Management from RSA Security. He says it provides a single key management system across the company's various applications.
Application programming interfaces from RSA allow Accor developers to easily adapt applications to access decryption keys as they need them, says Ewing. Without such keys, legacy systems wouldn't be able to perform any functions requiring that data, or would be unable to display that data correctly.
Another shortcoming of native database encryption is that it can't hide sensitive data from database administrators, says Burton Group's Henry. That's changing, he says, with products such as Oracle Corp.'s Oracle Database Vault, an option for Oracle databases that allows customers to "substantially limit what the DBA can do," he says.
No Silver Bullet
Customers, analysts and vendors agree that a mix of technologies is required to meet the needs of each unique environment. In addition to encryption, Ewing uses SecureSphere application layer firewalls from Imperva Inc. to protect his Web and database servers, as well as vulnerability and penetration testing tools.
Customers rely largely on access control and database access monitoring tools to comply with the Sarbanes-Oxley Act, says Prat Moghe, founder and CEO of Tizor Systems Inc. in Maynard, Mass., but they are using encryption more often to comply with PCI.
Even with products that allow users to encrypt only specific database columns (such as those holding credit card numbers), administrators may still need to restructure some databases to make encryption feasible. If a customer's Social Security number is used as the "index" field that helps locate all other information about that customer, encrypting Social Security numbers could require decryption of that column for every query and thus cripple database performance. Another approach, says Jeff Montgomery, director of product marketing at Cambridge, England-based nCipher, is to encrypt all but the last four digits of the sensitive number.
Rather than modifying applications so they can decrypt data, says Mogull, companies can also merely encrypt the file or hard drive where the data is stored (to deflect attacks on the database) and use data access monitoring tools to watch for suspicious activity from within the applications.
Making the wrong choice about where, for example, to use encryption can waste a lot of money, risk a lot of data and make a lot of users unhappy. That's why it's so crucial to first understand the threats facing your data and only then begin building your defense.
Scheier is a freelance writer in Boylston, Mass. He can be reached at firstname.lastname@example.org.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Cybercrime and Hacking White Papers | Webcasts