Transcript Database Encryption

Database Security and Data
Protection
Suseel Pachalla, CISSP
Outline











Why is Database Security Critical?
Database Environment
Database Security Threats
Database Hardening
Database Activity Monitoring/Auditing
Database Encryption
Risk Reduction
Business / Solution Challenges
Solution requirements
Recommendations
Q&A
Why is Database Security Critical ?
 Protect Data from Internal/External ThreatsIntellectual, Business Confidential
Information, Customer and Consumer Data,
Employee data etc
 Separation of Duties
 Data Integrity
 Regulatory Requirements-GLBA, HIPAA etc…
 Of course, to protect sensitive Data
Database Environment
 Network Environment-Internal/External
 Hardware- Server, Desktop etc
 SHARED Environment- Co-Existence of
different Applications
 Off Shore Environment
 Environment-Specific to OS/Database
Database Security Threats
 Insider Threat
 Authentication, Authorization and Access
Control-(AAA)
 Privilege AbuseLegitimate/Excessive/Elevation
 SQL Injection
 Weak Audit Trail
 DB Platform Vulnerabilities
 DB Communication Protocol Vulnerabilities
 DOS Attacks
Database Hardening







Least Privilege
Secured Infrastructure
Access Control
Disable/Rename unwanted accounts
Password Management
Patch Management
Securing Ports
Database Activity Monitoring/Auditing
 Monitoring is a Detective control, not
preventive.
 Access Policies-Well Defined to Monitor
 Impact on application and Network
Performance-Monitoring
 Auditing
 Audit what is required
 Disk Space Issues
 Audit as per Regulatory Requirements
Database Encryption - Strategies
 Encryption of Data within or outside the database
Encryption within DB
Client
Application
Server
Encryption outside DB
Client
Application
Server
Key management
server
Database
Database
Database Encryption - Methods
 Generic Encryption Methods:
 Symmetric Encryption – uses same key to encrypt
and decrypt, usage of Block Cipher or Stream
Cipher, Algorithm usage such as 3DES, AES with a
key length of at least 128-bits.
 Asymmetric Encryption- Uses a pair of keys,
mainly used for data transmissions.
 Kinds of DB Encryption:
 DB File Level Encryption
 DB Column Level Encryption
Symmetric Database Encryption
 Encryption Process
SSN -
123 45 6789
Encryption Key
+
Encryption Algorithm
Encrypted SSN –
“4#@_&g_*9AS”
Risk Reduction – Database Encryption
 Risk is reduced, in case of





Theft of media
Abuse of DBMS privilege
Abuse of OS system level privilege
Theft of Privilege
Transaction record tampering
Business / Solution Challenges
 Business Challenges
 Expensive
 Need more resources to manage – security DBA
 Need additional hardware and processing
capabilities
 Solution Challenges




Legacy application changes
Performance Issues
Application integration
Key Management-Encryption
Solution requirements
 Native DB Security Tools
 Third party tools – Protegrity, Vormetric,
Voltage etc..
 Additional Hardware
 Resources- Security DBA, Hardware
maintenance etc …
Recommendations
 Trade-off between security and performance
 Apply appropriate security strategy keeping
performance and data flow in mind
 Separation of Environments
 Encryption-Separate DB from Key storage
location
Questions