Data represents the lifeblood of any organization. With the right information, companies can improve customer satisfaction, increase the efficiencies of their supply chain, identify market trends and positively affect their bottom line.
This is not a new concept, it is a commonly understood fact of business.
Data in a corporation can be divided into two categories. First, there is data that a company has about itself, its assets and its operations, such as financial data, physical asset information and inventory balances. The level of security and privacy needed for such data is a function of the company's business interests.
Second, there is other data that is essentially information about entities that are not wholly within its purview, such as employee personal data and customer data. The corporation does not have a choice, but a duty to protect the privacy of its employees and customers by providing the highest security for such data.
For this reason, companies have gone to great lengths to both preserve the privacy of customer, employee and partner data, and to prevent identity theft, by employing sophisticated and generally effective security procedures that control network and database access.
Then what happened in the recent case of the bank that accidentally lost the personal data of 3.9 million U.S. customers after computer tapes were lost in transit to a credit reporting bureau? Or the academic institution that "lost" information on more than 98,000 graduate school students and applicants? Or the medical group, where computers containing personal data on 185,000 patients were stolen? Or the federal contractor that admitted that the personal information of 35,000 shareholders might be in the wrong hands?
How can such highly critical personal data like Social Security numbers, credit card numbers, birth dates, bank account information and patient medical information be so exposed?
When thieves get hold of equipment like laptops, storage devices or backup tapes, they can bypass database access controls with utilities that read physical blocks of data to recover critical information. The result of device violations can be catastrophic. One of the most effective ways to protect your data is to encrypt it before putting it on your media.
Making on-disk encryption work for you
For on-disk encryption to be manageable and still offer a high level of protection, it needs to meet four key criteria:
1. The encryption system should not require application modifications. Most database systems have already grown up with a suite of applications, and modifying applications raises the cost and complexity of implementing the security system.
Instead, you should deploy a product that allows you to add data encryption to existing databases. Encryption at the database storage level protects the data from storage media theft, as well as database attacks. With this approach, table schemas remain intact, so queries and data manipulation code need not be touched. In this manner, data encryption becomes a part of the centralized database security policy.
2. Encryption keys must be protected. Data encryption is based on keys that are used to encrypt and decrypt the data. The secrecy of the key is essential, and systems that manage keys internally usually do a better job of protecting the key than systems that rely on keys being transmitted over the network.
To avoid the pitfalls of external keys, look for encryption options that manage keys within the database. The key should be identifiable by name, but its value should never be exposed. Choose a system that allows a policy of changing keys periodically and transparently re-encrypting the data with the new key.
3. Permission-based access should be in place. There are a number of ways to control access to encrypted data. An obvious approach is to give the decryption key to users and applications. Applications would then transmit the key when requesting data. But this approach has major drawbacks, including:
- Applications need to be modified to handle keys.
- Keys are exposed outside the database.
- Keys must be protected when transmitted.
- Key distribution becomes a problem since new keys must be securely distributed to users and applications, and changing keys is equally difficult.
- Multiple applications accessing common encrypted data need to find a way to share keys.
A permission-based system avoids these problems. Rather than requiring users and applications to communicate using keys, users and groups are simply given permission to decrypt the data. Users without permission are unable to see clear-text data. Administrators easily manage permission controls through extensions to the "grant" and "revoke" syntax. Combined with access control, encryption becomes a transparent operation in the database.
4. Finally, ensure that your data encryption is done at the column level. This makes it easy to encrypt personally identifiable data like customers' Social Security numbers without encrypting less sensitive data such as the state they live in. If encryption is done at the row or page level, or worse, at the entire table or database levels, every access to the row incurs the overhead of encryption or decryption. Column-level encryption ensures that users who do not need to see private data do not incur the costs of encryption. Look for column-based encryption that provides the option of including a layer of pseudorandom code over the data as added protection for data that contains many repeated values.
Conclusion
Adhering to a simple and direct process for data encryption will not only save you time and money, but it will also allow you to avoid the type of public relations nightmare that closely follows security breaches. While encryption is not a new technology, pragmatic approaches to encryption are still emerging. It is therefore important that when considering either your next database purchase or a stand-alone encryption tool, you look for a product that incorporates technologies that, at the very least, minimize application modifications, offer protection for your encryption keys and enable permission-based access.
Raj Nathan is senior vice president of the Information Technology Solutions Group at Sybase Inc., where he leads the company's technology research and product development.