Skip to main content
purple hex pattern

What are the main challenges?

As organizations use more information to run their businesses, the volume of data and the number of databases continues to grow. Ensuring that diverse databases are protected in a consistent manner, no matter where they are hosted (on-premises, in the cloud, in multiple clouds, or in hybrid environments), becomes increasingly challenging. Securing the cryptographic keys that are used to encrypt and protect the confidentiality of data is critically important. This presents a key management challenge that is fundamental to ensure a sound database security strategy. Scalable key management enables organizations to control encryption keys across databases, protecting the organization’s most sensitive assets and facilitating regulatory compliance.

How to secure a database

To effectively secure databases, organizations need to apply various tools and technologies. The objective is to protect the confidentiality and integrity of the data, ensure it is only available to those users and applications that are authorized to have access, and keep everyone/everything else from accessing the data even if perimeter defenses fail. Therefore, organizations should view database security as building blocks necessary to help them control user access and protect critical data at rest, in transit, and in use while facilitating regulatory compliance.

There are six different security options when protecting data that resides within a database. Data can be protected at the storage level, the file system, the actual database schema, the application level, the proxy, or at an end-user application.

Storage-level encryption

Storage-level encryption includes self-encrypting drives (SEDs) that provide a mechanism to protect the confidentiality of the data. Commercial SEDs are generally built to standards like the Key Management Interoperability Protocol (KMIP), so cryptographic keys can be managed externally in a consistent manner. Storage-level solutions are typically low-cost and easy to implement and maintain. However, they only protect against loss of physical data storage.

File-level encryption

File-level encryption includes native operating system solutions like Microsoft BitLocker or Linux LUKS, which can also be augmented with external encryption capabilities. Depending on the solution, they can also protect against privileged users. External solutions are operating system-dependent and can be more difficult to use.

Database-level encryption

Database-level encryption is where established vendors like Microsoft SQL, Oracle MySQL, and others provide transparent database encryption (TDE) on premises, and in the cloud with AWS, GCP, Microsoft Azure, and Oracle Cloud, among others. This level provides good protection against data loss, but typically has weak key management. Third-party key managers can be used to enhance this capability.

Application-level encryption

Application-level encryption can be enabled using technologies such as tokenization and format-preserving encryption to protect data without changing structure. These mechanisms provide high security and do not require changes to be made to applications but are typically customized by nature and more difficult to implement.

Proxy-layer encryption

Proxy-layer encryption provides a transparent interface between the user and the web application handling the data. It typically provides robust security without the need for a change in application. However, it is a single point of failure, and performance and scalability can be complex.

End user applications encryption

End user applications encryption offers the highest level of protection with end-to-end security, but needs dedicated interfaces, making it harder to implement.

Best practices

It is important to have the ability to address database security on multiple fronts. Consolidating diverse databases' and data stores’ key management capabilities protects data from exposure and protects the organization from liabilities. To manage, rotate, and share encryption keys securely centralized key management should be compliant with KMIP for easy deployment. For databases running in the cloud, greater control over the keys and the data can be achieved with a bring your own key (BYOK) approach that allows the organization to generate, manage, and use its own encryption keys across cloud service providers. Key management solutions should always isolate keys from the encrypted data to reduce risk and ensure compliance. Hardware security modules (HSMs) provide a root of trust for the generation, protection, and lifecycle management of database encryption keys. Applying consistent security policies across all databases helps mitigate error-prone manual practices. Managing user and application access ensures data is only available to authorized entities. And establishing consistent security policies facilitates auditing and compliance with data protection regulations and industry mandates.

Data protection legislation such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as industry standards such as the Payment Card Industry Data Security Standard (PCI DSS) specifically require encryption as a mechanism to protect sensitive data.

Learn more about key management for database encryption here.