Data Encryption: A Pillar Of Database Security
Increasing security breaches are making security more attention and budget than ever. Data encryption is, along with authentication, authorization and auditing, one of the 4 pillars of database security.
Enforcing database security requires technical knowledge and high privileges. For many aspects of database security, different utilities, system procedures, and command implementation are required.
But when users require access to multiple databases on multiple servers, spread across different physical locations, database security becomes even more complicated. Any security measures taken at the user level must be repeated in each of the databases and there is no central repository where it is easy to modify and delete user security settings.
What Is Data Encryption?
Encryption is the process of obfuscating data through the use of a key or password that ensures that those who access them without the appropriate password cannot find any use in them since it is impossible to decipher their content.
For example, in the event that the database host computer was misconfigured and a hacker was to obtain confidential data, that stolen information would be completely useless if it were encrypted.
When considering data encryption, it must be taken into account that:
- Encryption does not solve access control problems.
- This option does improve security by limiting data loss even if those controls are bypassed.
These limitations are covered by another technique, that of data masking, which in this sense does offer greater security coverage.
Management Of Data Encryption Keys
For data encryption to be effective when managing it, 4 keys must be taken into account:
Data encryption is not as effective if it is not understood as part of an information security strategy. In this plan, key management should be placed at the core of the organization’s IT security infrastructure since the encryption is an unbreakable element, the key management system becomes a natural objective for those who are looking for an access route to the informational assets of the company. Some best practices are:
- Avoid using key storage software and replace it with hardware.
- Keep a hardware copy of paper-based security policies.
- Do not forget the importance of security audits.
The threat comes from the inside in more cases than imaginable and, therefore, it is necessary to authenticate the administrators and guarantee the separation of tasks.
There is no need to be overconfident as even a physically secure key management system can be compromised if administrator access controls are not robust enough. Along these lines, organizations should:
- Find ways to increase the reliability and strength of authentication techniques for administrators.
- Employ different administrator access controls for the encrypted data and provide them to those responsible with access to the keys.
There are more and more keys, more passwords, and instead of strengthening security, it can be weakened by increased complexity, if it leads to errors.
Automating key management tasks saves costs and increases information protection, an easy solution to apply since most password management tasks are based on established procedures.
This decision guarantees very good results and exceptions should only be applied in the case of emergency situations or when it comes to resolving an urgent request for access to data.
In these types of circumstances, a comprehensive key management strategy must be used, which makes it easy to locate passwords for backup copies created weeks, months or several years before.
Keeping a record of key management activities is essential to prevent potential problems from key destruction. Many times, the devices that contain sensitive information deteriorate until they become useless. However, this status does not imply that they are no longer a potential source of data loss.
The physical destruction of the hardware may not destroy the information it contains and, in this regard, data encryption provides a very effective means of ensuring the protection of the company’s informational assets since the destruction of the key is effectively destroying the data.
The counterpart is that, of course, it is essential that the organization can demonstrate that each copy of the key that was made has been destroyed, and must be able to demonstrate it, something that is only possible when there is a solid audit trail. To avoid the consequences of data or password loss, it is necessary to act at three levels:
- Carry out good key management.
- Maintain a registry that allows the monitoring of all activities related to key management.
- Never forget to destroy the key when you want to permanently delete the associated data.