Christian Kirsch, senior manager, international product marketing, THALES Information Systems Securi
Christian Kirsch, senior manager, international product marketing, THALES Information Systems Securi

Strong security is all about reducing the attack surface available to hackers and malicious users.

Database encryption has gradually worked its way up the priority list for today's IT director. Firewalls and application security are no longer enough to protect businesses and data in the modern day open and complex IT environment. Mitigating this risk and complying with numerous emerging regulations are two principal drivers that are forcing encryption onto the IT director's agenda.

Yet, many businesses are struggling to overcome the numerous challenges associated with database encryption. A 2008 Trust Catalyst survey found that organizations were most concerned about key management as the biggest challenge in database encryption. Organizations are also grappling with issues, such as how to separate database and security management, how to control the usage and copying of keys, and how to prove data security to the auditor.

Here's how these challenges can be overcome and advice on best practices for database encryption.

Regulatory drivers

Advanced security through database encryption is required across many different sectors and increasingly to comply with regulatory mandates. The public sector, for example, uses database encryption to protect citizen privacy and national security. Initiated originally in the United States, many governments now have to meet policies requiring FIPS (Federal Information Processing Standard) validated key storage. For the financial services industry, it is not just a matter of protecting privacy, but also complying with regulations, such as PCI DSS. This creates policies that not only define what data needs to be encrypted and how, but also places some strong requirements on keys and key management. In fact, requirement 3 of PCI version 1.2, seems to be one of the more difficult aspects with which to comply.

One approach that can help companies address the encryption challenges associated with regulation is the defense-in-depth principle which advocates many layers to strong security – ranging from physical security and access controls to rights assignment and network security, including firewalls and, crucially, encryption of both data at rest and in transit. Strong security is all about reducing the attack surface available to hackers and malicious users. If one method of attack is deemed too difficult, hackers will attempt to move on to attempt to exploit another weakness.

Overcoming key management issues

It is important that database encryption be accompanied by key management; however, statistics show that this is also the main barrier to database encryption. It is well-recognized that key use should be restricted and that key backup is extremely important. However, with many silos of encryption and clusters of database application servers, security officers and administrators require a centralized method to define key policy and enforce key management. Yet, just a relatively small number of HSMs (hardware security modules) in the same security world can manage keys across a large spectrum of application servers, physical servers and clusters. Such a centralized strategy reduces total operational costs due to the simplification of key management. With data retention policies in some industries requiring storage for seven years or more, retaining encrypted data means that organizations need to be certain that they are also managing the storage of the key that encrypted that data.

An additional best practice rule of encryption is that the encrypted key should never be stored alongside the data it was used to encrypt. Placing encryption keys within the HSM enforces this policy. Furthermore, hardware can better protect encryption keys, as the application never handles the key directly, the encryption key never leaves the device, and the key cannot be compromised on the host system. As a result, unauthorized employees or data thieves cannot access the key material or the cryptographic functions and operations that use keys.

Separation of duties and dual control

Many organizations pay close attention to separation of duties and dual control, which is required to pass audits to show that there are internal controls protecting against rogue administrators or unauthorized employees and is often required by the various regulatory requirements discussed above. Database administrators and root administrators must have certain restrictions placed on their permissions. For example, they should not be allowed to administer encryption keys and they should not have too much power or authority over a given machine.

HSMs can help with separation of duties by separating database and security administration for key management. For example, a quorum of three security administrators has to jointly make changes to the encryption infrastructure, but one database administrator can authorize the use of a key. Companies often choose to require a smart card and password to unlock a database protected with transparent data encryption (TDE). This joint approach of separation of duties and dual control prevents any one person having enough power to defraud the system.

Company databases manage the most sensitive enterprise data. As such, it is without question that database encryption should be a priority for organizations intent on protecting this data. But encryption must also be accompanied by key management in order to provide the highest levels of security. If companies follow this best practice, they will find that not only are they protecting their company's most sensitive information, but they are also assisting compliance with government and industry regulations and rules, helping to prevent data breaches and, crucially, protecting their corporate brand and reputation.

Christian Kirsch is senior manager, international product marketing for THALES Information Systems Security.