How To Guides

Evaluating Data Encryption Solutions

Today, many organizations are evaluating or implementing solutions for encrypting data at rest, both as a means to combat data theft and to ensure compliance with a range of legislative and industry mandates. For encryption to adequately and cost-effectively address security gaps, organizations must manage their implementation in a way that is best suited to their specific infrastructure and security policies.

Following are guidelines for evaluating the relative merits of several approaches available on the market today:

• Evaluating File versus Column Level Approaches
• Evaluating Storage versus Application Level Approaches
• A Comparison of Hardware-based vs. Software-based Alternatives

Evaluating File versus Column Level Approaches

Today all databases write their data in a structured format to underlying files. As a result, one way to implement database encryption is by encrypting the entire database file. While file level encryption is well suited for encrypting word documents and other sensitive files in their entirety, using this technology to encrypt database files in their entirety is rarely done or useful due to the intensive read and write nature of databases. Another approach to database encryption is granular, column-level encryption, which enables encryption of specific fields within a database. While this approach provides both flexibility and a high level of security, there are several factors that should be taken into consideration when implementing this type of solution. To learn more, download the white paper entitled "Database Encryption: Evaluating File versus Column Level Approaches."

This whitepaper is designed to help enterprises better understand both file and column level encryption in order to make informed decisions about which approaches and technologies to implement.  To download the white paper, click here (requires registration).

Evaluating Storage versus Application Level Approaches

When encrypting sensitive data within database tables, one should consider the difference between encrypting at the column level versus encrypting the entire database at the storage system level.  Storage encryption techniques operate on entire contents written by the database and offer very limited access control and auditing capabilities.  Column level encryption solutions provide much more granularity and enable access control, auditing, and policy to be applied to specific columns within a database.

To learn more, download the paper entitled "Database Encryption: Evaluating Storage vs. Application Level Approaches". This whitepaper is designed to help enterprises better understand both storage and column level encryption in order to make the most informed decisions on which approach is ultimately employed.  To download the white paper, click here (requires registration).

A Comparison of Hardware-based vs. Software-based Alternatives

One of the key decisions confronting organizations considering data-at-rest encryption is whether to deploy software-based products or hardware-based solutions such as Ingrian DataSecure Platforms. This document outlines the main differences between the two alternatives, offering information on such criteria as security, performance, and manageability.

To download the pdf of this solution brief, click here.

Centralized vs. Distributed Key Storage

Distributed Key Storage and Software-Based Encryption

Software-based encryption solutions use a distributed key storage mechanism: keys are stored on the application and database servers on which the data to be encrypted resides. In the simplest case, where only one database server exists, key management is modestly simple. However, in an enterprise environment, where the number of application and database servers often number in the hundreds, it becomes increasingly difficult to manage the cryptographic keys residing on these servers. In addition, as the complexity of key management increases, the risk of not backing-up a key, or losing a key, increases exponentially.

When organizations use software-based approaches to encrypt data that is stored on back-end servers and databases, the cryptographic keys are distributed in a decentralized fashion. This poses security vulnerabilities because database and application servers are often misconfigured and not kept up-to-date with the latest security patches, making them easy prey for cyber attackers outside the organization—and they’re easily accessible to a number of internal employees that may not have proper security credentials. When cryptographic keys are stored on unsecured platforms, attackers can gain access to them very quickly because they are often stored in an easily readable plaintext format. And as more keys are stored on servers, it becomes even easier to locate and manipulate them.

Centralized Key Storage with Ingrian DataSecure Platforms

Companies have distributed networks, which makes management of the keys and the security policies behind those keys the most important aspect to securing sensitive data. The Ingrian DataSecure Platform is a centralized key storage solution. All keys are created, reside on, and never leave the Ingrian platform.

This significantly simplifies management of key backup, restoration, and key rotation since all keys are stored in one place. The DataSecure platform is capable of creating thousands of keys—including those of such robust encryption algorithms such as RSA, 3DES, and AES—that can be used by multiple application or database servers.

Additionally, when an encryption key is “at rest” on the internal DataSecure disk, it is twice-encrypted for added security using several internal Ingrian keys designed for this purpose. Customers can also choose a DataSecure Platform containing a FIPS 140-2 Level 3-compliant hardware security module, which supports U.S. government requirements to ensure that the storage media itself is extremely tamper resistant.

Administration and Access Control

The only way to access the DataSecure platform for administrative purposes is via a secure Web-management console, a command line interface over SSH, or a direct console connection. Again, unlike database and application servers, no one can “log on” to the Ingrian platform using a standard Windows log on, or UNIX shell.

Access to Ingrian platforms is restricted to Ingrian utilities and commands designed to manage and maintain the Ingrian appliance. The DataSecure appliance has been hardened for security: all TCP listeners and services typically found on application or database servers do not exist. Consequently, it is impossible to search for keys residing on the DataSecure platform.

For added security, the platform can be configured so that individual administrators are granted access only to areas for which they are responsible. DataSecure offers over 20 access control lists (ACLs), which offer granular control over administrative functions. For example, one administrator might only b given access to network configuration functions, while another might only be given access to certificate management controls. This level of granular access control enables customers to control and closely monitor administration operations. All actions performed by users and administrators are logged for reporting purposes.

Implementation Options

Software-based encryption solutions generally provide one implementation option: deploying encryption at the database layer. While this alternative may make sense for certain organizations, many enterprises need to do encryption elsewhere, sometimes due to infrastructure requirements or security objectives.

With Ingrian, organizations can implement encryption at multiple tiers within the infrastructure, and a single appliance can be integrated with a number of Web servers, application servers, and databases. This affords enterprises with a great deal of flexibility to adapt encryption to their specific performance, implementation, and security requirements. For example, an organization may choose to have an application server that resides in a relatively open, insecure portion of the network have permission to do only encrypt requests, while a database residing in a more secure location would be able to make decryption calls.

Scalability and Performance

Software-based cryptographic solutions do not scale because all cryptographic operations are performed on the application or database server’s CPU. This typically adds 10 to 25% to the existing load on a database server and this solution is inherently flawed when you consider scalability; the customer must add application and database servers when their server’s load threshold is exceeded. This can significantly increase the cost-of-ownership when factoring in the cost of new hardware and software (operating system, database licenses, and encryption software).

On the other hand, the Ingrian solution offloads all cryptographic operations to the DataSecure server. This practically alleviates any additional load on the customer’s servers and it permits DataSecure to scale horizontally. That is, the customer can add as many Ingrian cryptographic servers as required, by inserting another Ingrian appliance into the cluster. Performance can be increased as needed and the customer can scale their database encryption as their organization and transaction rates grow. One DataSecure appliance can have many databases and or application servers accessing it simultaneously for different cryptographic needs.

Cost of Ownership

As illustrated above, it is far more complex to manage keys, users, and security policies with a software-based encryption solution than with a centralized hardware offering. This complexity increases as software-based cryptographic solutions are deployed across a large number of application and database servers and this problem is significantly magnified in an enterprise environment, where architectures are typically comprised of hundreds of applications and many databases.

Although software-based encryption solutions typically require a smaller initial investment than a hardware-based solution, the IT costs of deploying and administering these software-based solutions in complex enterprise environments often makes the long-terms costs of these solutions prohibitive.