Vormetric Data Security Understanding and Selecting Transparent Data Encryption: Native vs External Approaches

Similar documents
Debunking The Myths of Column-level Encryption

Securing Sensitive Data

Vormetric Encryption Architecture Overview

SafeNet DataSecure vs. Native Oracle Encryption

Real-Time Database Protection and. Overview IBM Corporation

IBM Software Information Management Creating an Integrated, Optimized, and Secure Enterprise Data Platform:

Teradata and Protegrity High-Value Protection for High-Value Data

Transparent Data Encryption: New Technologies and Best Practices for Database Encryption

All Things Oracle Database Encryption

Alliance Key Manager Solution Brief

Securing Oracle E-Business Suite in the Cloud

Protegrity Data Security Platform

Choosing Encryption for Microsoft SQL Server

An Oracle White Paper June Oracle Database 11g: Cost-Effective Solutions for Security and Compliance

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)

<Insert Picture Here> Oracle Database Security Overview

Stronger database security is needed to accommodate new requirements

OWB Users, Enter The New ODI World

Navigating Endpoint Encryption Technologies

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Achieving PCI Compliance with Log Management

Compliance for the Road Ahead

Data-Centric Security vs. Database-Level Security

a division of Technical Overview Xenos Enterprise Server 2.0

VERITAS NetBackup 6.0 Database and Application Protection

Oracle Database 11g: Security. What you will learn:

Cloud Data Security. Sol Cates

What s New in Centrify DirectAudit 2.0

ITPS AG. Aplication overview. DIGITAL RESEARCH & DEVELOPMENT SQL Informational Management System. SQL Informational Management System 1

Guardium Change Auditing System (CAS)

VERITAS NetBackup BusinesServer

Microsoft. Course 20463C: Implementing a Data Warehouse with Microsoft SQL Server

MySQL Security: Best Practices

Protecting Data with a Unified Platform

Leverage the IBM Tivoli advantages in storage management

Online Transaction Processing in SQL Server 2008

Vormetric Data Security

Vormetric and SanDisk : Encryption-at-Rest for Active Data Sets

Oracle Database 11g: Security

MS-40074: Microsoft SQL Server 2014 for Oracle DBAs

Archive Data Retention & Compliance. Solutions Integrated Storage Appliances. Management Optimized Storage & Migration

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

White Paper. What Auditors Want Database Auditing. 5 Key Questions Auditors Ask During a Database Compliance Audit

Switching From ISAM to SQL

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

Securing Data in Oracle Database 12c

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

DFW Backup Software. Whitepaper DFW Backup Agent

Securing Your Microsoft SQL Server Databases in an Enterprise Environment

Tips and Best Practices for Managing a Private Cloud

White Paper Big Data Without Big Headaches

DriveLock and Windows 8

Microsoft SQL Server Security and Auditing Clay Risenhoover ISACA North Texas April 14,

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Case Studies: Protecting Sensitive Data in

Server Consolidation with SQL Server 2008

Zoner Online Backup. Whitepaper Zoner Backup Agent

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

PATROL From a Database Administrator s Perspective

Ahsay Backup Software. Whitepaper Ahsay Backup Agent

Using EMC Documentum with Adobe LiveCycle ES

MOC Administering Microsoft SQL Server 2014 Databases

Vormetric Data Security Platform Data Sheet

VORMETRIC CLOUD ENCRYPTION GATEWAY Enabling Security and Compliance of Sensitive Data in Cloud Storage

DriveLock and Windows 7

HIPAA and HITECH Compliance Simplification. Sol Cates

A TECHNICAL WHITE PAPER ATTUNITY VISIBILITY

VAULTIVE & MICROSOFT: COMPLEMENTARY ENCRYPTION SOLUTIONS. White Paper

Security Solutions. MyDBA s. Security Solutions. For Databases. October Copyright 2012 MyDBA CC. Version 3

SimpliVity OmniStack with Vormetric Transparent Encryption

White paper FUJITSU Software Enterprise Postgres

Oracle Database 11g Comparison Chart

Microsoft SQL Server for Oracle DBAs Course 40045; 4 Days, Instructor-led

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

An Oracle White Paper February Oracle Data Integrator 12c Architecture Overview

Microsoft SQL Server versus IBM DB2 Comparison Document (ver 1) A detailed Technical Comparison between Microsoft SQL Server and IBM DB2

Whitepaper FailSafeSolutions Backup Agent

Brochure Achieving security with cloud data protection. Autonomy LiveVault

Oracle Database 11g: Security Release 2

Blaze Vault Online Backup. Whitepaper Blaze Vault Online Backup Agent

Data Sheet: Storage Management Veritas Virtual Infrastructure Bringing enterprise-class storage management to virtual server environments

Veritas Cluster Server from Symantec

Brochure. Data Protector 9: Nine reasons to upgrade

An Oracle White Paper May Oracle Audit Vault and Database Firewall 12.1 Sizing Best Practices

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

SharePoint Unlimited... or how to deal with the explosive growth of unstructured data in SharePoint in a secure and transparent manner.

Database Assessment. Vulnerability Assessment Course

Overview. Edvantage Security

Veritas NetBackup 6.0 Database and Application Protection

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

Protecting your Data in a New Generation Virtual and Physical Environment

DataTrust Backup Software. Whitepaper DataTrust Backup Agent. Version 6.3

How To Use Vormetric.Com To Protect Your Data From Hackers

2. Highlights and Updates: ITSM for Databases

<Insert Picture Here> Oracle Secure Backup 10.3 Secure Your Data, Protect Your Budget

Oracle Database 11g: Security

Solution Guide Parallels Virtualization for Linux

Transcription:

Vormetric Data Security Understanding and Selecting Transparent Data Encryption: Native vs External Approaches Vormetric, Inc. Tel: 888.267.3732 Email: sales@vormetric.com www.vormetric.com

Table of Contents Executive Summary.........................................................3 Native Database TDE Overview...............................................3 Native Database TDE Security Challenges.......................................3 Expanding Security Coverage with External TDE.................................5 Conclusion................................................................7 2

Executive Summary Enterprises have a variety of drivers to encrypt information stored in their databases, from regulatory compliance to executive mandates, and a variety of options to evaluate in protecting that information. One of the options considered when securing database information is the Transparent Data Encryption (TDE) provided by the database vendor. This paper discusses the TDE technology and explains the strengths and limitations that TDE faces in meeting the needs of today s enterprises. It also explains how Vormetric Data Security provides necessary security and operational benefits while avoiding the limitations of native database TDE solutions. Native Database TDE Overview TDE protects data at rest inside of the database through native encryption functions within the database. Some database vendors offer encryption at the column and tablespace level, but it has become increasingly common to apply encryption to all of the data in the database. TDE is referred to as transparent since for some implementations, it can secure the data at rest without requiring application changes to take advantage of the encryption functionality. The major reason for using encryption is to avoid compromise of database files in storage. TDE avoids the possibility of someone stealing database files or storage media containing the database files and subsequently attempting to restore the data or browse the files. TDE implementations are designed to protect raw data at the operating system and storage tiers, while allowing applications and DBA s to continue to interact with the database, as usual. TDE is not a replacement for good application security and database access controls. Key management is a major concern for any encryption project and crops up when considering TDE. While database vendors might use common encryption algorithms, how encryption keys are shared, archived, secured and accessed varies between vendors. Some database vendors providing native encryption rely on simple access controls tied to administrative accounts, some encrypt individual user keys with a single master key, and others permit no key access at all and instead use a proxy to perform key operations. Native Database TDE Security Challenges Some implementations of TDE within the database engine have the benefit of transparency by avoiding application or database changes; however, like any technology, there are limitations. What follows are some of the most significant challenges to consider when evaluating Transparent Data Encryption. Unprotected Unstructured Data: Ancillary Data Surrounding The Database While databases frequently capture the attention of auditors and IT management, the database is part of a web of information flows that include backups, archives, Extract-Transform-Load (ETL) files, and reports. Hackers, bad guys and misguided Database Administrators (DBAs) recognize that security is only as good as its weakest link, and can search out the unencrypted weak link to obtain valuable data. While the database might be secure, the spreadsheet report extracted from the database containing sensitive data also needs to be considered when evaluating data security. 3

keys are only as secure as your least trustworthy [Database Administrator] DBA. In any platform that stores the keys in a database table, they are accessible to database administrators. Despite vendor advertisements to the contrary, there are attacks that can sniff key operations within the database, or even scan through database memory structures where the keys reside during use. Securosis, Understanding and Selecting a Database Encryption or Tokenization Solution, 2010 1 TDE protects sensitive data within the database, however TDE cannot be extended to protect unstructured data outside of the database. Compliance requirements and executive mandates typically impact data no matter where it might reside and include structured data inside the database as well as unstructured data outside of the database. Consequently, the narrow TDE approach cannot extend to protect unstructured information outside of the database. Unstructured data can take a variety of forms, from images containing sensitive information such as a scanned personal check to spreadsheets or pdf reports containing the results of queries from the database. It can also take the form of database-generated trace files, alert logs or audit logs that are likely to contain sensitive data extracted from the database. Administrative Burdens: Native Database Encryption in a Heterogeneous World Enterprises have adopted various database technologies for different applications over time. A typical enterprise has accumulated different databases from different vendors. This heterogeneous world means that an enterprise looking to secure databases with native encryption will need to factor in increased costs and administrative resources required from managing multiple encryption solutions. TDE consequently requires training and processes that are specific to each database vendor and goes not generate the economies that come from a single solution protecting multiple databases. Insufficient Key and Policy Management Database vendors providing TDE typically provide minimal key management functionality and point to Hardware Security Modules (HSMs) or third-party Key Managers to provide the necessary key management. Such key management functionality can become painful when enterprises need to wrestle with large deployments involving tens or hundreds of servers, each having an encryption key to manage. TDE can enable encryption that is transparent to an application, but the management burden needs to be considered to arrive at an accurate understanding of the feasibility and total cost of a solution. Performance Encryption operations impose an incremental performance requirement on systems. This performance requirement applies regardless of the approach to encryption, whether applicationlevel, database-level (TDE), or file/os-level. The performance overhead required for TDE varies significantly depending on the workload, with a recent Microsoft paper pegging the overhead at 3-5% for TDE for a database and up to 28% for cell-level (column) encryption. 2 1. Securosis, Understanding and Selecting a Database Encryption or Tokenization Solution, 2010 http:// securosis.com/reports/securosis_understanding_dbencryption.v_.1_.pdf 2. Database Encryption in SQL Server 2008 Enterprise Edition, SQL Server Technical Article, February 2008, http://msdn.microsoft.com/en-us/library/cc278098(v=sql.100).aspx 4

When you boil it down, transparent encryption with associated internal key management is a very simple and cost effective way to secure data at rest, but not effective for securing keys from database administrators or determined hackers who gain access to the host. Securosis, Understanding and Selecting a Database Encryption or Tokenization Solution, 2010 Legacy Database Migration Enterprises typically have a variety of database versions and grapple with the challenge of supporting a number of older database versions that do not include TDE functionality. While the latest and greatest database versions might offer TDE, legacy packaged applications come bundled with older versions of a database that lack TDE to encrypt columns or tablespaces. It is frequently impossible to migrate such older database versions to more recent versions offering TDE given the constraints of the packaged application the database supports. In addition, the effort to encrypt the data once the database itself is migrated can include an even more significant body of work. This migration of legacy databases is something that will pose a testing and operational burden. Expanding Security Coverage with External TDE: Vormetric Data Security Vormetric Data Security enables enterprises to meet their data security compliance requirements and executive mandates with superior manageability and extensibility compared to native database Transparent Data Encryption. Vormetric protects information stored in databases by transparently encrypting data at the file or volume manager level and can be applied to all databases irrespective of the vendor. In addition to securing database information, Vormetric can also secure unstructured data outside of the database without application or IT operational changes. Vormetric Data Security protects data in physical, virtual and cloud environments while avoiding any changes to the application, database or infrastructure. This approach allows enterprises to achieve security and operational efficiency while avoiding the deficiencies of native TDE provided by a database vendor. 5

Major Vormetric Data Security Benefits Reduced Administrative and Operational Costs Protects structured and unstructured data accessed by Linux, UNIX and Windows systems in physical, virtual and cloud environments Complete encryption solution includes integrated key management that avoids the cost of acquiring and managing HSMs and third-party key management software typically needed for TDE Reduced Risk through a Unified Data Security Solution Controls privileged user access (System Administrators, etc) and allows them to perform tasks without exposing sensitive data Single solution provides common policy framework for accessing both structured and unstructured data Rapid, Cost-Effective Deployment: Vormetric Data Security is transparent to user operations, applications, databases and storage operations High performance encryption maintains service level agreements Extensible Solution for Structured and Unstructured Data Vormetric Data Security can secure structured and unstructured data to satisfy rigorous audit requirements and provide comprehensive protection for sensitive data. While data at rest inside of the database can catch the attention of auditors, the data inserted into the database and extracted from the database can be of equal importance to the auditor validating security. Vormetric can protect sensitive data residing in reports, spreadsheet extracts, archives, Extract-Transform-Load (ETL) data or pdf files. Hackers and rogue employees can use such data stored outside of the database to obtain sensitive information. Vormetric can evolve as your enterprise s security requirements evolve in ways that are not possible with native database encryption. While TDE can protect data within the database, Vormetric can protect data inside and outside of the database on all major operating systems including Windows Linux and and Unix (AIX, HP-UX, and Solaris) irrespective of whether the server is physical, virtual or in the cloud. One Solution for All Databases Vormetric Data Security minimizes administrative overhead and support burdens with a single key and policy management console providing a secure, easy method of administering encryption keys. This enables organizations using databases from different vendors to establish consistent and common best practices for managing the protection of both structured and unstructured data. The Vormetric approach provides for a single console to establish policies and manage database encryption across all database platforms, from Oracle to SQL Server to MySQL to DB2. Operational Efficiency through Encryption Key & Policy Management Vormetric Data Security provides secure key management along with granular and configurable auditing and reporting of access requests to protected data, as well as changes to policies and keys. The system s audit management reduces audit scope, integrates with existing Security Information & Event Management (SIEM) solutions, and aids compliance with industry and regulatory practices regarding the handling and protection of private and confidential information. Exceptional Performance Benchmarking from a variety of customers has demonstrated the Vormetric solution provides superior performance over native database TDE. Vormetric performs encryption and decryption operations at the optimal location of file system or volume manager and consequently minimizes performance overhead. Vormetric s extensive OS and filesystem expertise provides for the best possible system performance while minimizing the encryption CPU requirement. 6

Future-proofed Transparent Encryption IT infrastructure and security is changing at a rapid pace with a steady flow of new applications and evolving compliance mandates. To maximize their return on IT investments, enterprises need data protection solutions that can evolve as their requirements change. The solution for protecting a database today might expand to include different vendor databases or big data in the future. Vormetric Data Security functions at the operating system level to encrypt data irrespective of database version or functionality. Vormetric can encrypt legacy databases, today s current version, and tomorrow s future data repository to grow as your enterprise grows. Conclusion The data within enterprise databases is the lifeblood that permits efficient operations and the sensitive information such databases hold frequently requires protection. An optimal solution to securing database information needs to provide operational efficiency and robust security. While TDE can appear to solve an immediate data security hole, a careful evaluation of technology alternatives can ensure that your business also selects an approach that minimizes operational costs and maximizes business flexibility as business requirements change. Vormetric enables operational efficiency with a single solution protecting both structured and unstructured data combined with integrated key management. Unlike TDE which secures a single vendor s database and lacks significant key management, Vormetric delivers manageable data security for complex, heterogeneous environments and can evolve as enterprise requirements change. With Vormetric Data Security, enterprises can transparently protect their data today with the extensibility to evolve to meet tomorrow s needs for encrypting data in different vendor databases and also secure unstructured data. Vormetric enables your business to minimize operational costs of securing data while providing the flexibility to evolve as your data protection requirements evolve. About Vormetric Vormetric is the leader in enterprise encryption and key management for physical, virtual and cloud environments. For more information, please call (888) 267-3732 or visit www.vormetric.com. Copyright 2011 Vormetric, Inc. All Rights Reserved. Vormetric is a registered trademark of Vormetric, Inc. in the U.S.A. and certain other countries. All other trademarks or registered trademarks, product names, company names and logos cited are the property of their respective owners. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information