What is database encryption?
Database encryption is the process of transforming data – that has been stored in a database, and in plain text format – into a ciphertext with the help of a suitable algorithm known as a “key.” This way, the only option available to decipher and use the data will be with the help of this key.
Only have time for a quick glance at the tools? Here is our summary list of the best database encryption tools:
- IBM Guardium for File and Database Encryption Provides full visibility while encrypting and decrypting structured or unstructured data with good levels of automation and scalability.
- Vormetric Transparent Encryption Hardware-accelerated encryption solution using data-at-rest encryption with centralized key management, privileged user access control and more.
- McAfee Complete Data Protection—Advanced Endpoint encryption solution for data-at-rest and data-in-motion with access control, and user-behavior monitoring.
- DbDefence for Microsoft SQL With data masking techniques for database tables provides extra protection, bespoke SQL database encryption.
- BitLocker The ‘go-to’ encryption solution for Microsoft Windows-based systems designed to provide encryption to whole volumes.
- 1 What is database encryption?
- 2 Why do we need database encryption?
- 3 The best database encryption tools
- 4 A few words of caution
- 5 Are there any drawbacks to using database encryption tools?
Why do we need database encryption?
The term “encryption” represents the conversion of data into a secure format that can only be read using a decryption key. The whole purpose is to ensure that only authorized persons or applications can access and work with the data. In a world that has become all too familiar with breaches and hacks, data owners have come to seek ways to keep their data secure. The software industry heeded this call and came up with solutions where their clients’ data is encrypted in three major ways:
- Full-drive encryption – encryption of drives as a whole and where everything that is stored on them is ciphered. Major operating systems like Linux and Windows Server come with features that allow for full-disk encryption that can then only be accessed using a password. This password needs to be entered at boot time so that even the operating system itself can gain access to data on it. Any application that then runs on the server doesn’t require access to the password as the operating system handles its access transparently.
- Partial system encryption – file-system-only encryption that ciphers a specific folder or data file which can then be accessed by only using a password. This method is similar to the previous encryption method as here too, once the operating system confirms the right password, any applications that need to work with the data will do so transparently. The drawback here is that human error could result in sensitive data being stored in unencrypted file storage spaces or systems.
- Database encryption – data security that converts data stored in databases into undecipherable garbage that makes no sense without a password. Here the password need only be inserted when the database is being accessed and not when the whole system starts up. In this case, should there be unauthorized access to the disk – even if it were physically removed – the culprits wouldn’t be able to access the data that is in the encrypted databases.
Since we have mentioned “transparency” a couple of times in the encryption types above, it becomes necessary to look into the definition of the concept in detail:
Transparent Database Encryption (TDE) – what is it?
Transparent Data encryption (TDE) is an encryption technology that is used by the larger database software companies like Microsoft, IBM, and Oracle. They have made this technology a part of the data security feature for a number of their database solutions. Image source
TDE is database-level encryption that works to cipher data at rest – meaning when the data is not being accessed, changed or in motion over a network – by encoding the structure of the database and not the data itself. This way, even if a disk is stolen, the database on it can’t be accessed without the original encryption certificate and master key.
TDE doesn’t require any application changes in code or otherwise when authorized users access the data, hence the “transparent” in the name. Programmers or any applications don’t need to create macros or update complex configurations to use the data. Once they are authorized, the operating system does the decryption and opens up the database for access to data in it.
This also means authorized users and applications don’t need to create auxiliary tables, triggers, or views to decrypt data that is encrypted using TDE.
The best database encryption tools
Ok, so… here is the list of our 5 choices for the best encryption tools and software solutions to use with your data:
IBM Guardium Data Encryption is the answer to businesses that are looking for a database encryption solution that comes from a globally-established technology brand.
With this tool, TDE is implemented with encryption and decryption taking place above data file systems and storage volumes or drives. This way data access is transparent to users, applications, databases, operating systems, and storage management systems. Image source
Finally, IBM Guardium for File and Database Encryption enforces policy-dictated encryptions. It offers centralized encryption key management capability which allows businesses to secure their data while also ensuring they stay GDPR compliant. The policies, meanwhile, are easily defined using a user-friendly management server and can then be rolled out and implemented across a number of operating systems (Windows, Linux, and Unix).
What makes this encryption solution stand out is its ability to secure data where it may be stored – locally, across multiple cloud storage solutions, and in big data. Administrators can opt for operating file system encryption or go for full-disk encryption.
The sheer power of Vormetric Transparent Encryption is revealed by simply looking at the data it can cover: it is easily deployable, can be scaled to cover tens of thousands of physical or virtual servers, and works on Windows, Linux, and Unix platforms.
One unique feature that comes with this solution from Thales eSecurity is that no downtime is required for initial data encryption operations. Administrators can simply use the “Live Data Transformation” option where databases and files can be encrypted while the data is in use.
Again, there is no downtime, a fact that can be appreciated when considering some tools may require a clean slate – being installed on new database servers before data can be encrypted.
This enterprise-level drive-encryption tool works in numerous use-cases including data loss prevention, full-disk encryption, device control, and even protection of data stored in the cloud (Dropbox and Google Drive, to name a few). It can be used on servers running versions of Windows and Mac OS X.
Apart from encrypting data on disks and controlling access, McAfee’s Complete Data Protection tool automatically encrypts files and folders before they move through a local network and even when they are shared outside of it. Amazingly, this complete data protection solution is relatively inexpensive considering the power it brings to small-to-medium businesses that want to keep their data secure.
For businesses that use Microsoft SQL Server (including SQL Express and LocalDB), few software solutions offer data security as DbDefence; this is arguably the most ideal tool for encrypting SQL data.
This TDE tool offers data security without compromising performance speeds. DBAs have full control over what they need to secure and configure DbDefence to work on tables (some or all of them), logins, and applications that access the restricted data. Image source
Configuration modes allow three levels of securing database data:
- TDE that takes care of encryption while data is at rest
- A “Blackbox” function that locks down databases from being able to browse objects (tables, procedures, and functions) without the proper authorization
- A middle-ground solution known as data masking (PDF) and which allows TDE protection as well as hiding sensitive columns from administrators and other Power Users
Finally, DbDefence is an effective encryption tool that is easy to set up and run; it is simply a lithe, effective SQL database encryption and yet has a tiny digital footprint.
This is a full-disk encryption solution that comes to us by way of Microsoft Inc. With over 90 percent of the world using one of their operating systems, and also considering Windows 10 holds almost 49 percent of the desktop OS market share, it is important to know the best way to secure data on what is the most popular operating system.
BitLocker Drive Encryption, as it is officially known, is a built-in Windows data protection feature that has been available with Windows operating systems right from the early days of Vista. It serves to protect users from data loss or theft that may occur in case a device is stolen, lost, or negligently decommissioned. The best way to use this encryption tool is in conjunction with the Trusted Platform Module (TPM) – a hardware security feature that comes with almost all new computers today. Without it, BitLocker would still work in encrypting drives but would instead require that the administrator insert a USB drive containing the startup key when booting encrypted devices.
The main concept behind this security tool is to make sure that no unauthorized access is granted to a drive – whether by running software-attack tools or by physically moving a hard disk to a different computer.
An endearing factor of BitLocker is the fact that all it takes to secure a disk and all the data on it is just a few clicks.
A few words of caution
Now, although all these encryption tools offer a way to secure data, there will always be that one weak point: the administrator. Because should hackers gain access to the administrator password – whether it is due to negligence in keeping the password secure or because they didn’t care enough to use a complex one – nothing will stop them from gaining full access to the data.
Solution: never use default passwords. Also, create complex passwords that can’t be guessed and do not write them down where anyone can find them.
The same applies to any applications that are given the authorization to access disks, file systems or databases; the hackers could exploit any weaknesses in the applications themselves and access the data by exploiting them.
Solution: be careful what roles and permissions you give to every application. Keep up with patches and updates so any exploits are thwarted.
Are there any drawbacks to using database encryption tools?
Ok, we have just spent all this time discussing which tools would be a perfect fit for a number of server setup scenarios. We have also touched on a couple of precautions.
Now, we will have a look at what the cons are when it comes to encrypting a database. Because, although you might be willing to secure your data, there are some aspects you also need to keep an eye out for. They are:
- Forgetting the password – administrators need to use complex passwords to truly secure their databases and, unfortunately, this makes it much easier for them to forget them; if they do, there’s probably no way of accessing that data ever again.
- A false sense of security – while encrypting data using these latest tools secures your data, it doesn’t mean that you should let your guard down; always be on the lookout for new methods of hacking. Make sure you keep your whole digital environment patched and updated.
- Resource hogging – while most database encryption tools aren’t resource-intensive, the case might change as your data grows and when you have a higher number of users or applications that continue to ask for more and more data. This security cost might be offset by increasing resources, but that will also mean convincing management to increase your budget
Looking at these drawbacks, it can safely be said that the advantages outweigh them by far. This leads us to the conclusion: if you have sensitive and confidential data, you should always consider encrypting it.