How To Pursue Database Encryption

By   Dan Garcia
CISO , EnterpriseDB | Feb 22, 2023 10:53 am PST

Cybersecurity remains a continual battle, with data breaches occurring at PayPal and T-Mobile in the first month of 2023 alone. To combat this challenge, businesses can strengthen their security posture by looking to reinforce their data encryption measures.

In most instances, encrypting data makes it inaccessible to bad actors. However, the process of encryption and decryption can be technically complex. In a competitive marketplace, businesses require speed and agility, and the prospect of reduced database performance can discourage taking steps towards encryption of data at rest.

However, advances in the usability and efficiency of database encryption solutions, coupled with developments in regulation and penalties for data breaches, have resulted in growing numbers of businesses taking data encryption as a more serious part of their cybersecurity strategy.

Given the number of options available, it can be challenging to settle upon the best encryption solution for business needs. It is also difficult to handle the cryptographic keys that enable decryption. Broadly speaking, there are three varieties of database encryption: the API (application programming interface) method, the database plug-in method, and TDE (transparent data encryption) method. Let’s review each to help weigh up the pros and cons.

API encryption

The API encryption approach involves modifying applications to perform encryption and decryption of data as it enters and exits the database. Unlike other methods, the task of encrypting and decrypting is handled by an encryption agent within the application, not the database itself. This may seem like a simple solution, as once the encryption is in place at the application level, it is a one-time setup.

However, in practice, it is a much more complex process. To implement API encryption, considerable development resources must be devoted to modifying existing commercial or proprietary applications to support encryption. On top of this, search queries and operations must also be adapted to access this encrypted data. Together, these steps present a significant challenge, particularly in an environment where there are multiple demands on development resources. For these reasons, many consider API encryption to be a legacy technique.

While it may initially perform well, issues with scalability are another obstacle to API encryption. Unless supported by additional computing power, application performance deteriorates as the volume of data and queries rises.  This issue is particularly problematic when multiple applications, potentially built or modified by different teams, are used to read and write encrypted data to and from the same database.

But there’s an even more fundamental issue to consider here – it is almost impossible to share the encryption keys used by one application and database pair across other applications within the same database. This puts a spanner in the works for analysis through data consolidation, affecting the capacity of the business to enhance customer relationships, optimise business operations, and identify new opportunities.

The database plug-in method

For database encryption and decryption, the plug-in method incorporates a separate module for the database. This approach avoids the computational burden of encryption falling on the applications and the database. Typically, these encryption plug-ins are specific to a single database software product, although some support multiple products.

However, deploying the database plug-in method incurs implementation and maintenance costs. Database administrators (DBAs) must adopt and manage new software, and although these are less extensive than those required by the API encryption method, modifications to applications are necessary to query encrypted data.

On the positive side, many of these modules can facilitate added capabilities, such as auditing, access control, and compliance management. However, the range of plug-in options and features available can be daunting – selecting the best solution can be a complex process as companies must consider the capabilities of the modules against their existing functionality.

The TDE method

With TDE in place, no modifications to applications or queries are necessary. This type of database encryption requires minimal administrative effort as the functionality is integrated into the database engine itself, either as a feature provided by the database vendor or as a third-party tool that modifies the database software. The database, backups, and log files are encrypted and decrypted in real time.

Although the process places a burden on the database engine, the effect on performance is largely insignificant. The impact is usually in the low single digits and even less when the data being accessed is in memory. Developers, users, administrators, and applications can operate without jumping through many of the hoops associated with other encryption methods.

Database encryption isn’t the only answer when it comes to cybersecurity. Web application firewalls, DDoS protection, ransomware protection and employee awareness all have their place in the mix. However, database encryption does have huge potential to significantly reduce the damage incurred by data breaches. Database encryption is the bedrock of a proper security strategy – in a world where there are more cyberthreats than ever, it pays to make sure that even if attackers can get past your defences, they’ll struggle to make use of your encrypted data.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x