Cloud Hosting

Join Transform 2021 for the most important themes in enterprise AI & Data. Learn more.

Database encryption protects sensitive information by scrambling the data when its stored, or, as it has become popular to say, is at rest.

There are several methods to generate and apply secret codes, but the end result is to make the data unusable in case an attacker manages to evade the standard defenses and gain direct access to the raw bits inside.

While the basic motivation remains rendering the data unreadable to those without authorized access, the process of encoding has evolved to support a number of different use cases:

The encryption process is a close cousin to the mathematical assurance that makes up the foundation of the ledger or blockchain databases. Digital signatures algorithms used to authorize and guarantee the changes to the ledgers are often developed and supported by the same library. While blockchain databases do not necessarily offer privacy indeed, all transactions are public they are often categorized similarly.

Oracle has been shipping tools to enable database encryption for decades, with a feature they call transparent database encryption thats designed to minimize the difficulty of use. Database administrators can protect entire databases, particular tables, or just individual columns. The keys are stored separately in an Oracle Key Vault, and theyre managed to keep authorized database consumers from having to input them. This is because, the documentation explains, the data is transparently decrypted for database users and applications. This automated encryption is a good defense against stolen storage media or attackers who manage to gain access to the raw data stored on disks (that is, at rest).

Microsofts SQL Server also supports automatically encrypting data before its stored to a hard disk drive (HDD) or solid state disk (SSD), something it also calls transparent database encryption. Versions running locally or in the Azure cloud can turn it on. They also have a separate layer designed to ensure that all connections to the database from other servers are encrypted.

Many companies are also relying on encryption thats added by the file system or the hardware of the disk drive itself. Operating systems like MacOS, Linux, or Windows will support encryption of all files as theyre stored, which also covers the indices and data columns stored by the database software. Adding encryption to the file system will affect the overall load of the server by increasing the time it takes to record the data.

Some drives can now handle the encryption using special chips added to the disk drive. Some are designed to be easily removable, so they might be locked up in a physical safe or moved to a different location for backup.

Many popular open source databases like MySQL or PostgreSQL include encryption libraries to simplify implementing encryption. Most of them use established cryptographic libraries instead of trying to create their own. The pgcrypto module, for instance, offers encryption functions that can be applied within SQL queries, and the crypt() function is often used to scramble passwords before theyre stored.

MongoDB added the ability to encrypt their databases at rest to the Enterprise edition. The default relies on AES with 256-bit keys. MongoDB added field-level encryption to secure certain parts of the data stored in the database across all its offerings in December 2019.

IBM isnt an upstart in the industry, but it is one of the leaders exploring some of the more sophisticated algorithms for homomorphic encryption. The company has released a toolkit for adding fully homomorphic encryption to iOS and MacOS. Microsofts Research division is also sharing SEAL, a homomorphic encryption library that supports basic arithmetic. Its released under the MIT license and is built for linking with .Net and C++ code.

The challenge for managing encryption is keeping all of the keys safe and secure. Access to the data is controlled by the keys, and they should be kept independent of the data when the database is not being used. Extra care must also be taken with the backups, because a lost key can mean that an entire database is rendered unreadable.

Cloud companies are supporting key management by setting up separate services that isolate the keys from the regular computation. Microsofts Azure calls its service the Key Vault, and it keeps the keys in Hardware Security Modules (HSM), which will store them with an extra layer of encryption. IBM calls its service Key Protect, and it also uses HSMs to protect the local keys the database uses.

Adding encryption requires a significant amount of computation, and this increases the cost of storing and retrieving the information. In some cases, the CPUs are idle, and the extra cost is negligible. Many desktops and cell phones, for instance, rarely use more than a small fraction of their available CPU cycles. If these devices encrypt the data before sending it to the database, they bear the computational burden, which may be negligible, and you dont want to overload the central database.

But in other cases, adding the encryption can require stronger database servers and larger clusters to handle the load. Much depends on how the encryption is applied and how the data will be used afterwards. Bulk encryption is built into some hard disks and operating systems, and its possible to turn on these features without significantly slowing down the hardware.

The most sophisticated algorithms, like homomorphic encryption, require a significantly larger computational infrastructure. The field continues to be an area of extremely active exploration, and new algorithms can be several orders of magnitude faster than their predecessor, but the performance is still not practical for many applications.

This article ispart of a serieson enterprise database technology trends.

Read the original:
What is database encryption? - VentureBeat