The Future of Database Encryption
June 16, 2017
In order for encryption to be more broadly deployed, it must become easier to consume and interfere less with how applications process data.
CIOs and CISOs are starting to recognize that database encryption is a critical need and are scrambling to adopt it before their organizations fail the next compliance audit, or worse yet, become a victim of the next major data breach. But there are several hurdles to clear before database encryption is more broadly deployed. Simply put, encryption must become easier to consume and it also needs to interfere less with how applications process data. Enterprise databases have the crown jewels— data that is the lifeblood of how business works—and need to be protected. This is putting the spotlight on database encryption that so far had been a necessary evil that protected enterprise assets when storage disks were stolen.
Today, encryption for sensitive data in databases is available in multiple flavors. There is media-based encryption, where either blocks or files are stored in an encrypted format with the service provider controlling the keys, as well as the encryption/decryption process; and server-based or transparent data encryption, which is transparent because the applications do not change, and encryption is performed in the database server and the administrator controls the keys. In both of these encryption approaches, the data and the keys are exposed in the server’s memory, giving users with access to the database the ability to extract sensitive data with the right tools. To counter this threat, smart application developers use application-layer encryption, where the application performs encryption within its program logic. This usually requires application developers to learn cryptography and key management best practices, identify the right place in the application architecture to perform encryption, and make the right function calls to encrypt and decrypt sensitive data as it is stored in the database. After encryption, the only operation that is possible on encrypted data is an equality check, meaning that nearly all operations previously performed by the application on the data would have to be done after the data is extracted from the database and decrypted in the application. The adjacent table describes each of the approaches and its features. These encryption approaches work, but they are hard to deploy.
The era of “cloud first” development offers promising alternatives. We are moving to a paradigm of services being programmatically integrated into applications. To follow that model, encryption will be provided as a service so that it can be integrated into existing enterprise workflows with a minimum impact to DevOps practices. This includes centralized orchestration that automates encryption deployment and management and seamless key management that reliably generates, uses, stores, rotates, and retires keys used to encrypt data.
Finally, the service will be delivered on a consumption basis, eliminating the need for hardware-based approaches that have a barrier to entry that restricts encryption to the very high end of the market. The service would be monitored extensively along with the ability to collect audit information that can be used to satisfy compliance requirements stipulated by governments, trade organizations, and privacy groups.
Data encryption is the foundation of an enterprise data protection strategy. For enterprises to reach the critical goal of encrypting all of their sensitive data, they need a new deployment paradigm that makes the process easy to use, provides comprehensive key management, and delivers a true end-to-end monitoring experience.
Original article can be found here.