Securing Data StorageProtecting Data at Rest

Advanced Systems GroupDell Computer Asia Ltd.

Database Vulnerabilities

Growth of eBusiness results in more and more sensitive data stored in corporate databases.• Credit card number• Account number• Password• User profile

Data is exposed to Internal Intruders• Complete set of data• Sensitive data are stored in clear text• Logically related data are physically

stored together• Easy to correlate sensitive data with

public data without knowledge of data storage format

Database security cannot protect sensitive data against:• Attacks that bypass the database engine• Unauthorized access to data files• Abusive use of shared password• Dictionary attack on user password• DBA access

Problems of Basic Database Security

Ways to Secure Data Storage

• Application level Encryption, use of security APIs to encrypt data before saving to database

• Database Encryption – software that tightly integrate with database to provide encryption, transparent to application

Overview of Data Storage Protection with Database Encryption

Transform existing schema to two layers:• Logical view• Physical table

View -- encrypt data TableView decrypt data -- TableData encrypted at rest in data files

• Intruders only see unintelligible text

Applications

View

Database Table

Public Data Private Data

Public Data Private Data

AuthenticateSQL Queries

AuthenticationAuthorization

Server

Encrypt

Decrypt

Advantages of Using Database Encryption Software

Application Transparent• Preserves logical schema• Existing SQL queries continue to run• No re-coding required for legacy applications• Access control can be based on existing

database security• No need to set up and maintain a separate security

policy• Existing users continue to have the same data access

rights

Considerations – Index Searching

Support for Index Searching• Building index on encrypted data• Unable to do wildcard search, < or >

comparison since ciphered text cannot preserve order

• It is important to select software that can solve the searching problem

Considerations - Key Management

Fine Grain Security Control• Key Diversification

• Different encryption key for different users, tables, columns

• Data copied through illegal means to another schema cannot be decrypted

• Reduce risk exposure if encryption key is compromised

Considerations - Key Management

Flexible Key Management• Key Rollover• Multiple Key versions can co-exist• Decryption uses the key version with

which the data was encrypted• Encryption always uses the latest version• Data can be re-encrypted over time

Considerations - Encryption Methods

Software Based EncryptionHardware Based Encryption

• Use tamper resistant hardware• Hardware Security Module (HSM)• Secure Token

• Smart card• USB token

• Store digital certificate• Hardware Accelerator to speed up cryptographic

operations• RSA private key not exposed outside hardware• Encryption keys protected even Database stolen

Question & Answer

Thank you for your time.