Separation of duties and dual control
Many organizations pay close attention to separation of duties and dual control, which is required to pass audits to show that there are internal controls protecting against rogue administrators or unauthorized employees. It is often required by the various regulatory requirements discussed earlier. Database administrators and root administrators must have certain restrictions placed on their permissions. For example, they should not be allowed to administer encryption keys, and they should not have too much power or authority over a given machine.
HSMs can help with separation of duties by separating database and security administration for key management. For example, a quorum of three security administrators has to jointly make changes to the encryption infrastructure, but one database administrator can authorize the use of a key.
Companies often choose to require a smart card and password to unlock a database protected with Transparent Data Encryption (TDE). This joint approach of separation of duties and dual control prevents any one person having enough power to defraud the system.
Company databases manage the most sensitive enterprise data. As such, it is without question that database encryption should be a priority for organizations intent on protecting this data. But encryption must also be accompanied by key management in order to provide the highest levels of security. If companies follow this best practice, they will find that not only are they protecting their company's most sensitive information, but they are also assisting compliance with government and industry regulations and rules. In doing so, they will be helping to prevent data breaches and, crucially, protecting their corporate brand and reputation.
Christian Kirsch is Senior Manager, International Product Marketing for Thales Information Systems Security. He has more than 12 years of experience in enterprise data protection. Prior to Thales, Christian worked with PGP Corporation in Germany and the United States as a product marketing manager for enterprise security software. Christian has also held product management positions at various encryption software vendors. In these roles, he became familiar with the security concerns and challenges of today's leading global organizations. Christian has also published several articles on IT security in international media and has spoken on this topic at several security conferences.
Christian has a B.A. in Politics with International Relations from the University of Warwick in the United Kingdom, as well as a business degree from the Akademie f??r Marketing-Kommunikation in Frankfurt, Germany. He can be reached at Christian.Kirsch@thalesesec.com.