Transcript Pr sentation PowerPoint

Securing Data Storage
Protecting Data at Rest
Advanced Systems Group
Dell Computer Asia Ltd.
Database Vulnerabilities
Growth of eBusiness results in more
and more sensitive data stored in
corporate databases.
•
•
•
•
Credit card number
Account number
Password
User profile
Data is exposed to Internal Intruders
• Complete set of data
• Sensitive data are stored in clear text
• Logically related data are physically
stored together
• Easy to correlate sensitive data with
public data without knowledge of data
storage format
Problems of Basic Database Security
Database security cannot protect
sensitive data against:
• Attacks that bypass the database engine
• Unauthorized access to data files
• Abusive use of shared password
• Dictionary attack on user password
• DBA access
Ways to Secure Data Storage
• Application level Encryption, use of
security APIs to encrypt data before
saving to database
• Database Encryption – software that
tightly integrate with database to
provide encryption, transparent to
application
Overview of Data Storage Protection
with Database Encryption
Transform existing schema to two layers:
• Logical view
• Physical table
View -- encrypt data  Table
View  decrypt data -- Table
Data encrypted at rest in data files
• Intruders only see unintelligible text
Applications
SQL Queries
Authenticate
Database Table
View
Public Data
Decrypt
Private
Data
Encrypt
Authentication
Authorization
Server
Public Data
Private
Data
Advantages of Using Database
Encryption Software
Application Transparent
•
•
•
•
Preserves logical schema
Existing SQL queries continue to run
No re-coding required for legacy applications
Access control can be based on existing
database security
• No need to set up and maintain a separate security
policy
• Existing users continue to have the same data access
rights
Considerations – Index Searching
Support for Index Searching
• Building index on encrypted data
• Unable to do wildcard search, < or >
comparison since ciphered text
cannot preserve order
• It is important to select software that
can solve the searching problem
Considerations - Key Management
Fine Grain Security Control
• Key Diversification
• Different encryption key for different users,
tables, columns
• Data copied through illegal means to another
schema cannot be decrypted
• Reduce risk exposure if encryption key is
compromised
Considerations - Key Management
Flexible Key Management
• Key Rollover
• Multiple Key versions can co-exist
• Decryption uses the key version with
which the data was encrypted
• Encryption always uses the latest version
• Data can be re-encrypted over time
Considerations - Encryption Methods
Software Based Encryption
Hardware Based Encryption
• Use tamper resistant hardware
• Hardware Security Module (HSM)
• Secure Token
• Smart card
• USB token
• Store digital certificate
• Hardware Accelerator to speed up cryptographic
operations
• RSA private key not exposed outside hardware
• Encryption keys protected even Database stolen
Question & Answer
Thank you for your time.