Securing Data Vaults: A Dive into Database Encryption Techniques

Database encryption refers to a process, which utilizes algorithms to convert stored data in a database into ciphertexts that are inconceivable without performing decryption. Therefore, the intent of encryption is the guarding of information saved in a database from access by personnel with malicious aims. For many corporates, databases store sensitive details containing data ranging from intellectual property to confidential competitive information and customer personal details (Bouganim & Guo, 2011). The act of encrypting information thus shrinks the incentive for individuals to hack a given database as the encrypted data is meaningless or of little use. There are various technologies and techniques employed in the encryption process, which this article aims at outlining in details.

Transparent Database Encryption (TDE)

TDE is used in encrypting an entire database and thus include encryption of “data at rest” –data that is neither being modified nor pushed across a network. For instance, a file stored in a computer is at rest unless opened and modified. This similarly include data saved on physical drives such as disk drives and tapes. This data may be sensitive and thus raises concerns of theft and security. TDE, therefore, guarantees that data on such drives cannot be access by malicious individuals since it makes such information worthless. As a significant strength, TDE is much transparent as it encrypts data on ”the page level.” This shows that data is encrypted when stored and decoded when sent into the memory of a system (Deshmukh, Pasha, & Qureshi, 2013). Moreover, no application needs to be changed or modified for TDE to run correctly. The database contents are encoded using a symmetric key termed as a Database Encryption Key.

Column-Level Encryption

A typical relational database comprises of tables, which are divided into columns that have rows of data. Contrary to TDE that encrypt a complete database, column-level encryption approach permits for separate column encryption within a database. It is worth noting that the granularity of this encryption technique results in specific strengths and flaws, which arises in comparison to encrypting the whole database. Firstly, it can use a distinct encryption key in each column. Secondly, the ability to separately encrypt each column allows this technique to be considerably more flexible (Kaur & Bhardwaj, 2012). As a result, the effectiveness of generating rainbow tables is thus made complex, which makes the data stored in an individual column less likely to be leaked or lost. However, column-level encryption affects speed as accessing separate columns with unique keys in the same database causes decreased performance especially in the rate at which content is searched or indexed.

Application-Level Encryption

This approach ensures that the encryption procedure is done by the software, which was employed in the generation or alteration the data being encrypted. This essentially affirms that information is encoded before it being stored or written. As a result, application-level encryption can permit the encryption procedure to be personalized based on the data, which the application knows about the users.

As an advantage, the application-level approach has the potential of simplifying the encryption process employed in an organization. For instance, since an application encodes the data, which it modifies or writes from a database, there is no need to integrate a secondary encryption tool into a system (The ins and outs of database encryption. 2018). A second pro relates to the all-embracing theme of theft. Since the data is encrypted before being saved to a server, a hacker would require access to the application used in encrypting and decrypting the information as well as the database content.

As a disadvantage of this approach, the applications used by an organization will require modification to encrypt the data. Potentially, this can consume a substantial amount of resources and time and thereby firms may not agree that this encryption approach is worth an investment. Moreover, this approach may have a limiting impact on the performance of a database. When different applications encrypt data, it becomes impossible to search or index it on the database. Lastly, an increase in key management is realized since separate software requires to have access and authority to write and encrypt data in a database.

Encrypting File System (EFS)

Essentially, traditional database encryption techniques usually decrypt and encode the content of a database. DBMS (Database Management System), which runs on top of a defined operating system (OS) is used to manage databases. This raises potential security concerns, as a given database may be running on a vulnerable and potentially accessible OS. This calls for an EFS that can encode data, which is external to a database. This indicates that the scope of EFS is much extensive as compared with other encrypting approaches such as TDE. However, it also reduces the performance of a database and can result in administrative issues. For instance, a system admin may require OS access to use EFS (Kaur & Bhardwaj, 2012). Moreover, due to performance issues, EFS is not appropriate for storing applications that need recurrent database output and input. Therefore, this approach to encrypting is often recommended for environments that have few users.

Symmetric and Asymmetric Database Encryption

In the context of database encryption, the symmetric approach encompasses a private key being utilized to assess the stored data. This key modifies data in a way that makes unreadable when the key is not used in the decryption process. As a result, sharing of data requires individuals to have a copy of the key the sender used to ecode the data. Given that only a single key is applied in the encryption and decryption process, this technique is much faster. However, when this key spread to unauthorized personal, sensitive information can be leaked. On the other hand, asymmetric approach incorporates the use of two different keys: a private key and a public key. Anyone can assess a public key and is distinct to a single person (Bouganim & Guo, 2011).  A private key is secret and only known by one person. Asymmetric encryption is often acknowledged as much secure as compared to symmetric encryption as the private key does not get shared.

Risks of Database Encryption

Threats in database encryption relate to the management of keys. For instance, when a corporate or a person lacks an ”isolated system,” for managing private keys, system admins with ill ambitions can decode sensitive information while utilizing the keys they can access. The central principle of using key can similarly give rise to a devastating threat. For instance, if a key got lost, then the data encrypted is virtually useless as decrypting without a key is almost impossible. However, database encryption is paramount in ensuring the integrity of data is maintained in any corporate network.

References

Bouganim, L., & Guo, Y. (2011). Database encryption. In Encyclopedia of Cryptography and Security (pp. 307-312). Springer US.

Deshmukh, D., Pasha, A., & Qureshi, D. (2013). Transparent Data Encryption--Solution for Security of Database Contents. arXiv preprint arXiv:1303.0418.

Kaur, A., & Bhardwaj, M. (2012). Hybrid encryption for cloud database security. International Journal of Engineering Science & Advanced Technology, 2(3), 737-741.

The ins and outs of database encryption. (2018). SearchSecurity. Retrieved 14 March 2018, from http://searchsecurity.techtarget.com/tip/The-ins-and-outs-of-database-encryption