File Encryption, Database Encryption
Once deployed, you have to get databases up to standard levels. Sounds basic, doesnt it? "Its astonishing how few people have figured this out for databases," Julian told me. Everybody knows what server software theyre running with xyz patches, what password policies are, etc. But if youre not auditing databases on an ongoing basis, and making sure theyre up to whatever level of update your enterprise has defined as being its baseline, you dont know how secure your database is, even if youre encrypting the entire database. Next step, pre-encryption, is to harden systems so that they have secure configurations. That means securing default passwords and IDs to administrator and listener accounts, lest you leave the database wide open.Some DBAs say theyll spend Labor Day weekend applying Oracles latest, critical patch. Click here to read more.Intrusion detection comes into play next, to provide real-time protection while youre busy patching all of those databases, serving to alert and shut down an attack before it can cause damage. Thats why its deployed on the network, and thats why it should be deployed on the database. Encryption is your last line of defense, when theres no patch yet available and theres no signature for identity detection. It will keep somebody whos about to gain root access to your database from actually getting your customers credit card numbers or Social Security numbers, for example. This is where you get into the question of what to encrypt, and theres no easy answer to that. Is standard file encryption required with database encryption? When a file system is encrypted, whatever lives inside itbe it database table or text fileis encrypted. Database encryption experts will assure you that theres certainly overhead implied in either case, whether theres the abstraction layer of file encryption or not. CERT/CCs Manion says they both imply different kinds and different amounts of overhead, depending on what file system youre talking about, what database youre using and what type of database encryption youre using. In other words, the question is impossible to answer without knowing the specifics of a given system setup. But one way to avoid overhead is to encrypt at the column level in a database table, rather than encrypting anything and everything on a file system. Securing directories versus securing the database. Depending on whats stored in there, it might make sense to encrypt a directory, Manion says. If youre talking about an internal server that contains internal phone and contact information for an internal staff, and its not exposed to the outside world, it might not be worth the effort to encrypt it. Bear in mind, once you do choose to encrypt, youre adding another layer of logging on and/or passwords. These things dont come free. Next Page: The tough question of estimating damages post-breach.