I do believe I am officially setting a personal best for the most extended blog series. Way back in February, before my shoulder surgery, I started a series on database encryption. I not only don’t expect you to remember this, but I’d be seriously concerned about your mental well being if you did. In that first post I described the two categories of database encryption- media protection, and separation of duties. Today we’re going to talk more about media encryption, and the advantages of combining it with database activity monitoring.
When encrypting a database for media protection our goal is to protect the data from physical loss or theft (including some forms of virtual theft). This won’t protect sensitive content in the database if someone has access to the DB, but it will protect the information in storage and archive, and may offer realtime protection from theft of the database files. The advantage of encryption for media protection is that it is far easier to implement than encryption for separation of duties, which involves mucking with the internal database structures. The disadvantage is that it provides no internal database controls, and thus isn’t ideal for things like credit card numbers where you need to restrict even an administrator’s ability to see them.
Database encryption for media protection is performed using the following techniques/technologies:
- Media encryption: This includes full drive encryption or SAN encryption; the entire storage media is encrypted, and thus the database files are protected. Depending on the method used and the specifics of your environment, this may or may not provide protection for the data as it moves to other data stores, including archival (tape) storage. For example, depending on your backup agent, you may be backing up the unencrypted files, or the encrypted storage blocks. This is best suited for high performance databases where the primary concern is physical loss of the media (e.g. a database on a managed SAN where the service provider handles failed drives potentially containing sensitive data). Any media encryption product supports this option.
- External File/Folder Encryption: The database files are encrypted using an external (third party) file/folder encryption tool. Assuming the encryption is configured properly, this protects the database files from unauthorized access on the server and those files are typically still protected as they are backed up, copied, or moved. Keys should be stored off the server and no access provided to local accounts, which will offer protection should the server become compromised and rooted by an external attacker. Some file encryption tools, such as Vormetric or BitArmor, can also restrict access to the protected files based on application. Thus only the database processes can access the file, and even if an attacker compromises the database’s user account, they will only be able to access the decrypted data through the database itself. File/folder encryption of the database files is a good option as long as performance is acceptable and keys can be managed externally. Any file/folder encryption tool supports this option (including Microsoft EFS), but performance needs to be tested since there is wide variation among the different tools. Remember that any replication or distribution of data handled from within the database won’t be protected unless you also encrypt those destinations.
- Native Database Object Encryption: Most current database management system versions, such as Oracle, Microsoft SQL Server, and IBM DB2 include capabilities to encrypt either internal database objects (tables and other structures) or the data stores (files). This is managed from within the database, and keys are typically stored internally. This is overall good option in many scenarios as long as performance meets requirements. Depending on the platform, you may be able to offload key management to an external key management solution. The disadvantage is that it is specific to each database platform, and isn’t even always available.
The decision on which option to choose depends on your performance requirements, threat model, exiting architecture, and security requirements. Unless you have a high-performance system that exceeds the capabilities of file/folder encryption, I recommend you look there first. If you are managing heterogeneous database, you will likely look at a third party product over native encryption. In both cases, it’s very important to use external key management and not allow access by any local accounts.
The security of database encryption for media protection is greatly enhanced when combined with database activity monitoring. In this scenario, the database content is protected from loss via encryption, and internal data protected against abuse by database activity monitoring. I’ve heard of this combination being used as a compensating control for PCI- the database files are encrypted to prevent loss, while database activity monitoring is used to track all access to credit card numbers and generate alerts for unapproved access, such as a DBA running a SELECT query.