The role of encryption in database security

For many organizations, databases are a treasure trove of sensitive information containing data ranging from customers’ personal details and confidential competitive information to intellectual property. Lost or stolen data, especially customer data, can result in brand damage, competitive disadvantage and serious fines. In high-profile cases, compromised data presents organizations with long-term customer acquisition and retention difficulties.

As a result, database security is a top priority for today’s IT director. Yet, the shortcomings of many traditional database security techniques such as firewalls and application security have been exposed in recent years and it is now broadly recognized that these approaches to database security are no longer sufficient to protect businesses and data in today’s modern, open and complex IT environment. In trying to mitigate the risk of security breaches and to comply with numerous existing and emerging regulations, database encryption is often seen as the solution. Why is encryption often heralded as the best defense against database security breaches and how can companies overcome the oft-cited challenges associated with its implementation?

Regulatory drivers
Advanced security through database encryption is required across many different sectors and is increasingly needed to comply with regulatory mandates. The public sector, for example, uses database encryption to protect citizen privacy and national security. Many governments now require their agencies to protect keys with hardware that complies with FIPS (Federal Information Processing Standard) or Common Criteria, two internationally recognized security standards. For the financial services industry, it is not just a matter of protecting privacy, but also complying with regulations such as PCI DSS. This creates policies that not only define what data needs to be encrypted and how, but also places some strong requirements on keys and key management.

It’s clear that in certain industries which handle particularly sensitive data, such as financial services and government, regulation has emerged as the true driving force for the increased use of encryption. Across enterprise as a whole, however, data security has only been accorded such importance more recently as enterprise struggles to contain the brand and reputation impact of data breaches. The majority of existing privacy laws only come into force once data is breached. Yet, times are changing and the U.S. state of Massachusetts has introduced regulation which stipulates that organizations will breach the law simply by not protecting data adequately in the first place.

While encryption is increasingly being advocated by regulators, often compliance with regulation is not enough. Indeed, Heartland Payment Systems in the U.S. has recently questioned the effectiveness of current industry security standards and is calling for the adoption of end-to-end data encryption. Criminals are becoming increasingly sophisticated and as Heartland demonstrated, can find ways to get around current security legislation. Consequently, industry regulation should be used simply as a starting point rather than an end point in the effort to protect sensitive data.

Why encrypt?
As corporate networks become more and more open to the outside to accommodate suppliers, customers and partners, network perimeter security is no longer sufficient to protect data. Industry experts have long recommended a “defense in depth” approach by adding layers of security around the data. With the network being regarded as inherently insecure, encrypting the data itself is the best option, often cited as the “last line of defense”.

In terms of database security, encryption secures the actual data within the database and protects backups. That means data remains protected even in the event of a data breach.

Modern approaches to database encryption, such as the Transparent Data Encryption (TDE) architectures introduced by Oracle and Microsoft, make it easier for organizations to deploy database encryption because TDE does not require any changes to database applications.

What are the challenges associated with database encryption?
Why aren’t more companies protecting their databases with encryption? Many fear that encryption—and the accompanying encryption key management—might slow critical business processes, block access to data or fail to integrate with existing technology.

Encryption key management seems to be one of the biggest stumbling blocks when it comes to database encryption. Indeed, the 2008 Encryption and Key Management Benchmark Survey conducted by research firm Trust Catalyst found that organizations saw key management as the biggest challenge in database encryption. The cost of data recovery and lost business were at the top of respondents’ lists when it comes to concerns over lost or compromised encryption keys, with compliance only in third place. With real concerns about issues such as backing up and revoking or terminating keys to prevent unauthorized access to data, 69.3 per cent of respondents said that they would choose to use automated and centralized key management systems as opposed to manual processes.

With key management clearly an issue for many companies when it comes to their encryption strategies, why should it be taken more seriously and what is the best way to approach it?

Encryption isn’t secure without good key management
Good key management is essential for companies implementing database encryption, since access to encrypted data ultimately comes down to access to the key. Good key management avoids disruption and business costs. Conversely, compromising a key can put data at risk and losing a key completely can mean that the information is lost forever.

As the use of encryption grows, companies need to be able to manage (or control) encryption keys securely. This is crucial not only to prevent keys from being lost or stolen, but also for important operational reasons such as on-demand recovery of encrypted data, automated updates and compliance reporting.

Once encrypted, information only becomes readable once the encryption key is available to unlock it. Consequently, the key becomes as valuable as the data it is protecting. This situation can be likened to the security of a home – locking the house significantly increases the security of its contents, however if the key is then left under the mat the level of security is compromised, no matter how secure the lock is. In the same way, while encryption is an effective first step in enhancing data security, encryption keys need to be stored and managed effectively in order to ensure data is secure.

Many companies have found themselves in a situation where they need to manage thousands or even many millions of keys as they deploy separate encryption and key management systems to protect different areas of their IT infrastructure, such as laptops, storage systems and databases. This typically involves manual processes to generate, distribute, store, expire, and rotate encryption keys and has resulted in increased operational costs, delays in meeting audit and compliance requirements and increased risk of human error. With many silos of encryption, security officers and administrators are increasingly looking towards a centralised method to define and enforce key management policies.

Even though encryption is essentially binary, with data being either locked or unlocked, when it comes to key management there can be shades of grey. There is a significant difference between good and bad key management and auditors are getting better at spotting this difference. There are many factors to consider in ensuring good key management but below are some of the most important.

Key management best practice for database security
1. Ensure key management is part of your core security strategy
With encryption effectively impossible to break, the key management system becomes a natural target as a gateway to company information. Consequently, key management needs to be at the core of every company’s IT security infrastructure. Many companies used to store their keys in spreadsheets. While this practice is less common today, most companies do still rely on software-based key management tools and this poses a significant threat to secure data storage. Ultimately, keys stored in software are subject to attack by Trojans or other spyware and even general debugging tools. Even if the systems are clean and the administrators trustworthy, software-based keys are easy to copy, potentially leading to a proliferation of keys that makes it hard to control access to the data. To prevent this, companies have to introduce complicated security procedures that hamper operational efficiency and don’t always convince the auditors.

The alternative is to store the keys is a hardware security module (HSM), which grants access to keys based on a pre-defined security procedure. The HSM never hands out the keys, making copying and therefore proliferation of keys impossible. Turning paper-based security policies into steel, organizations find it easier to prove to auditors that security procedures are being followed.

Key management is increasingly being reviewed by auditors, and regulation is beginning to mandate some sort of key management systems. For example, in October 2008, the PCI Council added that companies must employ “proper key-management practices’ to the specification.

Top tips:

  • Place key management at the core of your IT security infrastructure
  • Store keys in hardware, rather than software
  • Mirror your paper-based security policies in the hardware to pass audits with ease.

2. Authenticate your administrators and ensure separation of duties
Even a physically secure key management system will be undermined by weak administrator access controls. This is a particularly important consideration given the current economic environment and the recent rise in insider fraud. BDO Stoy Hayward found that employee fraud comprised 11 per cent of all fraud committed in 2008 compared with just 2.5 per cent in 2007. The value of strong authentication techniques for administrators is obvious. Security against insider fraud can be bolstered by the concept of separation of duties, for example by ensuring that the administrators controlling access to encrypted data are different from those governing access to the keys. Going one step further still, the best key management systems require multiple security administrators to collaborate, each requiring the others to authorize an operation. This provides a form of mutual supervision and ensures that no one person has complete control of a company’s encrypted data. Such controls are fairly simple to manage and, crucially for regulatory purposes, measurable and easily audited.

Top tips:

  • Use strong authentication techniques for your administrators
  • Ensure different administrators control access to encrypted data to those responsible for access to keys.

3. Automate your key management tasks
Most key management tasks are based on set procedures and execution becomes a costly challenge as the number of keys increases. In such cases, automation is essential and good key management systems can facilitate this. However, in emergency situations or when servicing urgent requests to access data, such as for forensic investigations, key management tasks are often time-sensitive. In such situations, the data recovery process often requires locating encryption keys quickly for backups created weeks, months or several years earlier. A comprehensive key management strategy is essential to ensure that keys are easily located and prevent the situation getting out of hand, particularly when large quantities of historic keys accumulate.

Top tips:

  • Automate your key management tasks
  • Ensure keys are easy to locate by consolidating keys in one system.

4. Keep track of your key management activities
The value of keeping track of key management activities and establishing an audit trail is clear and a good example of this is key destruction. When storage media containing sensitive data, such as a disk drive, is decommissioned or malfunctions, or after data retention periods have ended, organizations are faced with the challenge of destroying this data. They must also be able to prove that they are no longer a potential source of data loss. Physical “destruction’ of hardware might not destroy the data within it since a significant amount of information can be found on shards of magnetic disk. Encryption provides a convenient, cheaper and greener means to achieve the same goal, since destroying the key is effectively destroying the data. It is essential that companies can demonstrate that every copy of the key that was ever made, for example for back-up purposes, has been destroyed and they must be able to prove it. This is only possible if a strong audit record is available and, once again, this comes down to good key management.

Top tips:

  • Keep an audit trail of your key management activities
  • Simply destroy the key when you wish to destroy the associated data.

Whilst much of the onus for implementing good key management lies with security professionals within organizations, there are several initiatives underway designed to simplify the process. Key management standards are nearing ratification, deployment best practices are well understood within the auditing community and second-generation key management products are reaching the market. Measures such as these will help enable organizations to implement cohesive key management strategies.

How can hardware help?
Hardware can manage keys across many application servers
It is well-recognized that key use should be restricted and that key backup is extremely important. However, with many silos of encryption and clusters of database application servers, security officers and administrators require a centralized method to define key policy and enforce key management. Yet, just a relatively small number of HSMs (hardware security modules) in the same infrastructure can manage keys across a large spectrum of application servers, physical servers and clusters. Such a centralized strategy reduces total operational costs due to the simplification of key management. With data retention policies in some industries requiring storage for seven years or more, retaining encrypted data means that organizations need to be certain that they are also managing the storage of the key that encrypted that data.

Hardware offers the best protection
Hardware provides the best protection for encryption keys, as the application never handles the key directly, the encryption key never leaves the device and the key cannot be compromised on the host system. As a result, unauthorized employees or data thieves cannot access the key material or the cryptographic functions and operations that use keys. Furthermore, placing encryption keys within the HSM means that the encrypted key is never stored alongside the data it was used to encrypt – an important best practice rule.

Hardware enables the separation of duties
As discussed above, many organizations pay close attention to separation of duties and dual control, which is required to pass audits to show that there are internal controls protecting against rogue administrators or unauthorized employees and is often required by the various regulatory requirements already discussed. Database administrators and root administrators must have certain restrictions placed on their permissions; for example, they should not be allowed to administer encryption keys and they should not have too much power or authority over a given machine.

HSMs can help with separation of duties by separating database and security administration for key management. For example, a quorum of three security administrators has to jointly make changes to the encryption infrastructure, but one database administrator can authorize the use of a key. Companies often choose to require a smart card and password to unlock a database protected with Transparent Data Encryption (TDE). This joint approach of separation of duties and dual control prevents any one person having enough power to defraud the system.

Company databases manage the most sensitive enterprise data. Without a doubt, database encryption should be a priority for organisations intent on protecting this data. But encryption must also be accompanied by best practice key management in order to provide the highest levels of security. If companies follow this best practice, they will find that not only are they protecting their company’s most sensitive information, but they are also assisting compliance with government and industry regulations and rules, helping to prevent data breaches and, crucially, protecting their corporate brand and reputation.