Encrypt the database | Debuggate
As the knowledge and information society is advanced, the importance of protecting various data such as personal information is becoming more and more important.
Among the many technical measures required to protect your data,
Encryption is the most important and fundamental method in terms of technical reliability.
For complete data encryption,
- Encryption: Encryption for data
- Key management: Secure management and operation of encryption keys
- Access Control and Auditing: Access Control and Auditing for Data Browsing
And other security technologies must be equally available.
Data environment, the hierarchy of IT system
To analyze the data environment, it is necessary to understand the hierarchy of the IT system according to the data processing method.
The virtual hierarchy that conceptually separates IT systems is shown below.
- Network: data is transmitted or received between the server connected to the network, the server, and the user device search
- Operating System: OS, search file including the data is physically stored to start the server or device
- DBMS Engine: data as a key feature of the DB system is stored or viewed in the DB
- DBMS the Package: provides the DB server inside the data processing, linked to utilizing the DB server from external
- DBMS Procedure: applications that use the DB server works with DB as a data repository configured
- Web application: Provides information to users via the web using DB server interworking.
- Business Application: A large information system that forms a large application system by grouping small application systems.
Data encryption at the network layer
At the network layer, the server and client are cross-linked to transmit and receive data.
This also applies to application servers and DB servers, networked storage devices and servers, and servers and terminals.
An attacker can eavesdrop on communication channels to collect send and receive data and to steal data.
To protect the data, transmit/receive information is encrypted in the following way.
Encrypt the communication channel between the sender and receiver
Since all the data is encrypted, efficiency can be lowered.
Selectively encrypts only the information already specified from the data to be transmitted/received
This is a way to improve performance by encrypting only the information you really need. Optional encryption technology is required.
Encryption at the network layer
can provide secure encryption between physically separate senders and receivers.
For secure encryption, you must securely create and manage encryption keys between the sender and the recipient.
Data encryption in the Operating System Layer
All data is stored in the form of a file when stored on a computer.
Encryption at the OS layer is a way for the OS to add encryption steps to the process of saving files.
Encryption function in a storage device
Storage devices such as HDDs perform encryption and decryption themselves. All saved files are encrypted.
File system performs encryption and decryption
The OS file system performs encryption. All saved files are encrypted.
Encrypt and save only certain files
Optionally encrypt and manage files. Encryption is also possible on a directory or folder basis.
When encryption is performed at the OS layer,
it is a big advantage that the DB or application does not have to consider encryption processing, so it does not require any cumbersome modification or modification when applied to existing systems.
However, most OS-level encryption products have limitations such as storing the encryption key inside the user’s device or server, making it difficult to set granular security policies and control access.
Data encryption in the DBMS Engine layer
The DBMS Engine is a core module that manages data input/output and storage inside the DB server.
Many DBMS products provide their own encryption capabilities. It is advantageous that existing applications do not need to be modified like the OS layer encryption method
because it performs the same operation before and after applying encryption when storing or reading information in DB
This feature is defined as transparency to the application program and is also called
TDE Transparent Data Encryption.
However, most TDE encryption products have a risk of leakage, such as putting decrypted data in memory, and even in terms of key management, the encryption key is in the same store as the data, so it can not be perfectly secure.
Therefore, before applying DBMS Engine level encryption products, consideration should be given to key management and memory decryption data processing.
Data encryption in the DBMS Package layer
In the DBMS Package layer, external requests are received and directed and managed by the engine for processing.
Encryption at this layer has the advantage that applications at higher layers need not be modified.
Because the DBMS engine already receives and processes encrypted data, there is no memory security threat.
This is an excellent way of performance because you can optionally encrypt a DB table.
In the past, data stored in the DB itself was encrypted, so it was pointed out as a disadvantage of the lack of a search index. Currently, however, most encryption companies offer index creation methods that can search for encrypted data quickly.
DBMS Package Hierarchical Encryption products can be burdened with DB server due to encryption-decryption whenever data is processed. Therefore, when applying to a real environment, it is necessary to provide a method to reduce the burden on the server by applying an appropriate method.
Data encryption in the DBMS Procedure hierarchy
Software in the DBMS Procedure hierarchy utilizes the DBMS API externally.
To apply encryption to this layer,
you must handle encryption with a separate API that supports encryption when communicating with the DB server.
If it exists in a separate system from the application and DB server, network layer encryption can be applied additionally.
It has all the advantages of DBMS Package layer encryption by invoking the encryption API instead of the existing DBMS API and has the advantage that burden of encryption/decryption operation processing is not transferred to the DB server. It is also a great advantage to be able to respond to security threats that occur in the network section even in the network environment. However, there is a drawback that some application modification is required.
Data encryption at the Web Application layer
The system configuration of many online information services in recent years is becoming increasingly complex.
Web server, Web application server, and DB server.
The Web application server mediates the Web server and DB server and controls the flow of data.
Since the function of connecting to the DB server performs the same function as the application of DBMS procedure, only the location where encryption is performed is different. The encryption method in this layer is the same as the DBMS procedure layer encryption method and has the same advantages and disadvantages.
Data encryption at the Business Application layer
Business applications are often large systems that integrate applications.
Even if a DBMS is adapted for internal data management, it is included as a separate system for managing the repository, making
it impossible for a developer of a business application to directly call or use the DBMS.
This hierarchy encryption requires modifying the storage management subsystem or adding a secondary subsystem.
Business applications are complexly implemented by their own design and implementation principles, so
adding and modifying new subsystems can be costly and time-consuming.
It has the same advantages and disadvantages as DBMS Procedure and Web Application layer.
Comparison of encryption methods
Please refer to the table below when deciding on the encryption technology for data protection.
Based on a thorough understanding of the entire ICT system and business environment,
As an encryption specialist, Penta Security provides all the encryption technologies required for data protection.