Separation of Duties and Dual Control
How to Protect Sensitive Data Using Database Encryption
Many businesses today are struggling to overcome the numerous challenges associated with database encryption. Organizations today are most concerned about key management, regarding it as the biggest challenge in database encryption. Enterprises are also grappling with issues such as how to separate database and security management, how to control the usage and copying of keys, and how to prove data security to the auditor.
Advanced security through database encryption is required across many different sectors and is increasingly needed to comply with regulatory mandates. The public sector, for example, uses database encryption to protect citizen privacy and national security. Initiated originally in the United States, many governments now have to meet policies requiring Federal Information Processing Standard (FIPS) validated key storage.
For the financial services industry, it is not just a matter of protecting privacy but also complying with regulations such as the Payment Card Industry Data Security Standard (PCI DSS). This creates policies that not only define what data needs to be encrypted and how, but also places some strong requirements on keys and key management. In fact, Requirement 3 of PCI version 1.2 (that is, to protect stored cardholder data) seems to be one of the more difficult aspects with which to comply.
One approach that can help companies address the encryption challenges associated with regulation is the "defense in depth" principle, which advocates many layers to strong security-ranging from physical security and access controls, to rights assignment and network security (including firewalls and, crucially, encryption of data both at rest and in transit).
Strong security is all about reducing the attack surface available to hackers and malicious users. If one method of attack is deemed too difficult, they will attempt to move on and exploit another weakness.
Overcoming key management issues
It is important that database encryption is accompanied by key management; however, this is also the main barrier to database encryption. It is well-recognized that key use should be restricted and that key backup is extremely important. However, with many silos of encryption and clusters of database application servers, security officers and administrators require a centralized method to define key policy and enforce key management.
Yet, just a relatively small number of Hardware Security Modules (HSMs) in the same security world can manage keys across a large spectrum of application servers, physical servers and clusters. Such a centralized strategy reduces total operational costs due to the simplification of key management. With data retention policies in some industries requiring storage for seven years or more, retaining encrypted data means that organizations need to be certain that they are also managing the storage of the key that encrypted that data.
An additional best practice rule of encryption is that the encrypted key should never be stored alongside the data it was used to encrypt. Placing encryption keys within the HSM enforces this policy. Furthermore, hardware can better protect encryption keys, as the application never handles the key directly, the encryption key never leaves the device, and the key cannot be compromised on the host system. As a result, unauthorized employees or data thieves cannot access the key material or the cryptographic functions and operations that use keys.
Separation of Duties and Dual Control
Separation of duties and dual control
Many organizations pay close attention to separation of duties and dual control, which is required to pass audits to show that there are internal controls protecting against rogue administrators or unauthorized employees. It is often required by the various regulatory requirements discussed earlier. Database administrators and root administrators must have certain restrictions placed on their permissions. For example, they should not be allowed to administer encryption keys, and they should not have too much power or authority over a given machine.
HSMs can help with separation of duties by separating database and security administration for key management. For example, a quorum of three security administrators has to jointly make changes to the encryption infrastructure, but one database administrator can authorize the use of a key.
Companies often choose to require a smart card and password to unlock a database protected with Transparent Data Encryption (TDE). This joint approach of separation of duties and dual control prevents any one person having enough power to defraud the system.
Company databases manage the most sensitive enterprise data. As such, it is without question that database encryption should be a priority for organizations intent on protecting this data. But encryption must also be accompanied by key management in order to provide the highest levels of security. If companies follow this best practice, they will find that not only are they protecting their company's most sensitive information, but they are also assisting compliance with government and industry regulations and rules. In doing so, they will be helping to prevent data breaches and, crucially, protecting their corporate brand and reputation.
Christian Kirsch is Senior Manager, International Product Marketing for Thales Information Systems Security. He has more than 12 years of experience in enterprise data protection. Prior to Thales, Christian worked with PGP Corporation in Germany and the United States as a product marketing manager for enterprise security software. Christian has also held product management positions at various encryption software vendors. In these roles, he became familiar with the security concerns and challenges of today's leading global organizations. Christian has also published several articles on IT security in international media and has spoken on this topic at several security conferences.
Christian has a B.A. in Politics with International Relations from the University of Warwick in the United Kingdom, as well as a business degree from the Akademie f??r Marketing-Kommunikation in Frankfurt, Germany. He can be reached at Christian.Kirsch@thalesesec.com.