This page has moved to a new address.

Database application security: Balancing encryption, access control

body { background:#aba; margin:0; padding:20px 10px; text-align:center; font:x-small/1.5em "Trebuchet MS",Verdana,Arial,Sans-serif; color:#333; font-size/* */:/**/small; font-size: /**/small; } /* Page Structure ----------------------------------------------- */ /* The images which help create rounded corners depend on the following widths and measurements. If you want to change these measurements, the images will also need to change. */ @media all { #content { width:740px; margin:0 auto; text-align:left; } #main { width:485px; float:left; background:#fff url("") no-repeat left bottom; margin:15px 0 0; padding:0 0 10px; color:#000; font-size:97%; line-height:1.5em; } #main2 { float:left; width:100%; background:url("") no-repeat left top; padding:10px 0 0; } #main3 { background:url("") repeat-y; padding:0; } #sidebar { width:240px; float:right; margin:15px 0 0; font-size:97%; line-height:1.5em; } } @media handheld { #content { width:90%; } #main { width:100%; float:none; background:#fff; } #main2 { float:none; background:none; } #main3 { background:none; padding:0; } #sidebar { width:100%; float:none; } } /* Links ----------------------------------------------- */ a:link { color:#258; } a:visited { color:#666; } a:hover { color:#c63; } a img { border-width:0; } /* Blog Header ----------------------------------------------- */ @media all { #header { background:#456 url("") no-repeat left top; margin:0 0 0; padding:8px 0 0; color:#fff; } #header div { background:url("") no-repeat left bottom; padding:0 15px 8px; } } @media handheld { #header { background:#456; } #header div { background:none; } } #blog-title { margin:0; padding:10px 30px 5px; font-size:200%; line-height:1.2em; } #blog-title a { text-decoration:none; color:#fff; } #description { margin:0; padding:5px 30px 10px; font-size:94%; line-height:1.5em; } /* Posts ----------------------------------------------- */ .date-header { margin:0 28px 0 43px; font-size:85%; line-height:2em; text-transform:uppercase; letter-spacing:.2em; color:#357; } .post { margin:.3em 0 25px; padding:0 13px; border:1px dotted #bbb; border-width:1px 0; } .post-title { margin:0; font-size:135%; line-height:1.5em; background:url("") no-repeat 10px .5em; display:block; border:1px dotted #bbb; border-width:0 1px 1px; padding:2px 14px 2px 29px; color:#333; } a.title-link, .post-title strong { text-decoration:none; display:block; } a.title-link:hover { background-color:#ded; color:#000; } .post-body { border:1px dotted #bbb; border-width:0 1px 1px; border-bottom-color:#fff; padding:10px 14px 1px 29px; } html>body .post-body { border-bottom-width:0; } .post p { margin:0 0 .75em; } { background:#ded; margin:0; padding:2px 14px 2px 29px; border:1px dotted #bbb; border-width:1px; border-bottom:1px solid #eee; font-size:100%; line-height:1.5em; color:#666; text-align:right; } html>body { border-bottom-color:transparent; } em { display:block; float:left; text-align:left; font-style:normal; } a.comment-link { /* IE5.0/Win doesn't apply padding to inline elements, so we hide these two declarations from it */ background/* */:/**/url("") no-repeat 0 45%; padding-left:14px; } html>body a.comment-link { /* Respecified, for IE5/Mac's benefit */ background:url("") no-repeat 0 45%; padding-left:14px; } .post img { margin:0 0 5px 0; padding:4px; border:1px solid #ccc; } blockquote { margin:.75em 0; border:1px dotted #ccc; border-width:1px 0; padding:5px 15px; color:#666; } .post blockquote p { margin:.5em 0; } /* Comments ----------------------------------------------- */ #comments { margin:-25px 13px 0; border:1px dotted #ccc; border-width:0 1px 1px; padding:20px 0 15px 0; } #comments h4 { margin:0 0 10px; padding:0 14px 2px 29px; border-bottom:1px dotted #ccc; font-size:120%; line-height:1.4em; color:#333; } #comments-block { margin:0 15px 0 9px; } .comment-data { background:url("") no-repeat 2px .3em; margin:.5em 0; padding:0 0 0 20px; color:#666; } .comment-poster { font-weight:bold; } .comment-body { margin:0 0 1.25em; padding:0 0 0 20px; } .comment-body p { margin:0 0 .5em; } .comment-timestamp { margin:0 0 .5em; padding:0 0 .75em 20px; color:#666; } .comment-timestamp a:link { color:#666; } .deleted-comment { font-style:italic; color:gray; } .paging-control-container { float: right; margin: 0px 6px 0px 0px; font-size: 80%; } .unneeded-paging-control { visibility: hidden; } /* Profile ----------------------------------------------- */ @media all { #profile-container { background:#cdc url("") no-repeat left bottom; margin:0 0 15px; padding:0 0 10px; color:#345; } #profile-container h2 { background:url("") no-repeat left top; padding:10px 15px .2em; margin:0; border-width:0; font-size:115%; line-height:1.5em; color:#234; } } @media handheld { #profile-container { background:#cdc; } #profile-container h2 { background:none; } } .profile-datablock { margin:0 15px .5em; border-top:1px dotted #aba; padding-top:8px; } .profile-img {display:inline;} .profile-img img { float:left; margin:0 10px 5px 0; border:4px solid #fff; } .profile-data strong { display:block; } #profile-container p { margin:0 15px .5em; } #profile-container .profile-textblock { clear:left; } #profile-container a { color:#258; } .profile-link a { background:url("") no-repeat 0 .1em; padding-left:15px; font-weight:bold; } ul.profile-datablock { list-style-type:none; } /* Sidebar Boxes ----------------------------------------------- */ @media all { .box { background:#fff url("") no-repeat left top; margin:0 0 15px; padding:10px 0 0; color:#666; } .box2 { background:url("") no-repeat left bottom; padding:0 13px 8px; } } @media handheld { .box { background:#fff; } .box2 { background:none; } } .sidebar-title { margin:0; padding:0 0 .2em; border-bottom:1px dotted #9b9; font-size:115%; line-height:1.5em; color:#333; } .box ul { margin:.5em 0 1.25em; padding:0 0px; list-style:none; } .box ul li { background:url("") no-repeat 2px .25em; margin:0; padding:0 0 3px 16px; margin-bottom:3px; border-bottom:1px dotted #eee; line-height:1.4em; } .box p { margin:0 0 .6em; } /* Footer ----------------------------------------------- */ #footer { clear:both; margin:0; padding:15px 0 0; } @media all { #footer div { background:#456 url("") no-repeat left top; padding:8px 0 0; color:#fff; } #footer div div { background:url("") no-repeat left bottom; padding:0 15px 8px; } } @media handheld { #footer div { background:#456; } #footer div div { background:none; } } #footer hr {display:none;} #footer p {margin:0;} #footer a {color:#fff;} /* Feeds ----------------------------------------------- */ #blogfeeds { } #postfeeds { padding:0 15px 0; }

Tuesday, November 2, 2010

Database application security: Balancing encryption, access control

This tip is part of's Data Protection School lesson, Locking down database applications. For more learning resources, visit either the lesson page or the Data Protection School main page.

Some of the most sensitive data in a company is stored in databases. Medical records, credit card numbers, employee records, Social Security numbers and other such data are subject to privacy regulations and must be protected.

At the same time, however, security must be balanced with the need to access the data for legitimate business use, including backups and remote replication for business continuity. The most powerful tool for data privacy is encryption, but it must be applied carefully in order to be effective for security and not disruptive to business. Here are some best practices for database application security when it comes to protecting sensitive data and establishing an encryption/access control balance:

Data minimization and obfuscation
The best and most effective way to protect sensitive data is to not store it in the first place. Thus, companies should always ask the following data minimization questions:

Will the data be needed beyond today?Can we store only partial data for verification (e.g., last four digits of SSNs)?Can we use other, less sensitive data for authentication (e.g., name of pet)?Can we use or store a hash instead of the original data (e.g., MD5, SHA)?

In many cases, these questions can lead to a smaller, less sensitive set of stored data.

Data encryption
Companies can encrypt database data to protect against theft or accidental disclosure. There are three key issues that come with database encryption: where the data is encrypted, how it is encrypted and where the keys are stored. Let's address each below:

Where to encrypt data -- Encryption can be applied at the application layer, in the database or in the underlying storage. Within the database, data can be encrypted in a specific field, a column, a table or across the entire database. Each of these choices has pros and cons.

Application-layer encryption ensures the data is encrypted at the highest layer in the system, thus making it invisible to all the layers below. If encrypted in the application, the database, OS, network and all other components through which the data passes will only see the encrypted form.

The problem with encrypting at the highest level is that there are usually several high-level applications that need access to the data and will therefore need copies of the keys to decrypt it. The more the keys are distributed, the more vulnerable they are.

But if you encrypt at the lower levels, then you need to add other layers of encryption further up; for example, data will need to be encrypted in the network flows between database and application, otherwise it will be visible. This introduces other encryption keys that will need to be secured. It's a delicate balance that depends on the architecture of the application and the data flows.

How to encrypt -- Encryption can be implemented in software, in software with hardware assistance or entirely in hardware. Depending on the throughput you are trying to support (Mbit/sec), you may need some hardware acceleration. One choice is clear though: Always use a modern, strong and standards-based encryption and key management system; don't try to invent your own system that may or may not do the job properly. Some high-end server processors now have built-in encryption primitives supporting AES, which allow for much faster (up to nine times faster) encryption than software-based algorithms.

Where to store the keys -- The biggest challenge is not encryption per se, but key storage and distribution. The encryption is only as secure and only as accessible as the keys. Keys must be protected from attackers and stored separately from the encrypted data, but accessible to the encryption/decryption algorithm. At the same time, the keys must be backed up and replicated, so that backup data can also be decrypted if the primary data or primary key storage is lost due to a disaster. Any key management technology you select must support:

Secure storage of keys.Authenticated and audit-trail access of keys.Escrow or recovery keys to protect against loss.The ability to backup and securely transfer keys to a remote location for recovery.

Encryption standards
Many encryption and key management systems are certified by one of two useful standards: Federal Information Processing Standard (FIPS) 140, levels 1 through 4, and Common Criteria Evaluation Assurance Level (EAL), levels 1 through 7. These standards offer a metric to compare the security of different systems' encryption algorithms, key storage and key management mechanisms: Higher numbers mean better encryption algorithms, better key storage, tamperproof hardware and better key management practices. For example, FIPS considers 11 different areas of security to assign a level of certification. You should pick the appropriate level of security depending on the sensitivity of the data and any regulatory requirements you face.

Database applications are complex and made of multiple tiers of loosely coupled components. They are difficult to secure, yet contain the most sensitive data in an organization. But by using data minimization and encryption, companies can strike the right balance between security, accessibility and availability for their data.

About the author:
Andreas M. Antonopoulos is a Senior Vice President and Founding Partner with Nemertes Research, where he develops and manages research projects, conducts strategic seminars and advises key clients. Andreas is a computer scientist, a master of data communications and distributed systems, a Certified Information Systems Security Professional (CISSP), with an engineering, programming and consulting background. For the past 16 years, has advised a range of global industries on emerging technologies and trends.

View the original article here

Labels: , , , , , , , ,


Post a Comment

Subscribe to Post Comments [Atom]

Links to this post:

Create a Link

<< Home