How to Protect Sensitive Data Using Database Encryption

By Christian Kirsch  |  Posted 2009-06-05 Print this article Print

Database encryption has gradually worked its way up the priority list for today's IT director. Firewalls and application security are no longer enough to protect businesses and data in the modern-day, open and complex IT environment. Mitigating this risk and complying with numerous emerging regulations are two principal drivers that are forcing database encryption onto the IT director's agenda. Here, Knowledge Center contributor Christian Kirsch explains how these challenges can be overcome and advises on best practices for database encryption.

Many businesses today are struggling to overcome the numerous challenges associated with database encryption. Organizations today are most concerned about key management, regarding it as the biggest challenge in database encryption. Enterprises are also grappling with issues such as how to separate database and security management, how to control the usage and copying of keys, and how to prove data security to the auditor.

Advanced security through database encryption is required across many different sectors and is increasingly needed to comply with regulatory mandates. The public sector, for example, uses database encryption to protect citizen privacy and national security. Initiated originally in the United States, many governments now have to meet policies requiring Federal Information Processing Standard (FIPS) validated key storage.

For the financial services industry, it is not just a matter of protecting privacy but also complying with regulations such as the Payment Card Industry Data Security Standard (PCI DSS). This creates policies that not only define what data needs to be encrypted and how, but also places some strong requirements on keys and key management. In fact, Requirement 3 of PCI version 1.2 (that is, to protect stored cardholder data) seems to be one of the more difficult aspects with which to comply.

One approach that can help companies address the encryption challenges associated with regulation is the "defense in depth" principle, which advocates many layers to strong security-ranging from physical security and access controls, to rights assignment and network security (including firewalls and, crucially, encryption of data both at rest and in transit).

Strong security is all about reducing the attack surface available to hackers and malicious users. If one method of attack is deemed too difficult, they will attempt to move on and exploit another weakness.

Overcoming key management issues

It is important that database encryption is accompanied by key management; however, this is also the main barrier to database encryption. It is well-recognized that key use should be restricted and that key backup is extremely important. However, with many silos of encryption and clusters of database application servers, security officers and administrators require a centralized method to define key policy and enforce key management.

Yet, just a relatively small number of Hardware Security Modules (HSMs) in the same security world can manage keys across a large spectrum of application servers, physical servers and clusters. Such a centralized strategy reduces total operational costs due to the simplification of key management. With data retention policies in some industries requiring storage for seven years or more, retaining encrypted data means that organizations need to be certain that they are also managing the storage of the key that encrypted that data.

An additional best practice rule of encryption is that the encrypted key should never be stored alongside the data it was used to encrypt. Placing encryption keys within the HSM enforces this policy. Furthermore, hardware can better protect encryption keys, as the application never handles the key directly, the encryption key never leaves the device, and the key cannot be compromised on the host system. As a result, unauthorized employees or data thieves cannot access the key material or the cryptographic functions and operations that use keys.

Christian Kirsch is Senior Manager, International Product Marketing for Thales Information Systems Security. He has more than 12 years of experience in enterprise data protection. Prior to Thales, Christian worked with PGP Corporation in Germany and the United States as a product marketing manager for enterprise security software. Christian has also held product management positions at various encryption software vendors. In these roles, he became familiar with the security concerns and challenges of today's leading global organizations. Christian has also published several articles on IT security in international media and has spoken on this topic at several security conferences. Christian has a B.A. in Politics with International Relations from the University of Warwick in the United Kingdom, as well as a business degree from the Akademie f??r Marketing-Kommunikation in Frankfurt, Germany. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel