Encrypting databases for confidentiality

Abstract

The concept of enterprise information security is related to who is allowed to access information and what they can do (such as, read, write and execute privileges) with that information in various forms. Whatever the form the data is in, such as data in use, data in transit and data at rest, the restrictions on access should be considered before anything else. Confidentiality means keeping the right person in, and wrong person out. Unfortunately, there is no fool-proof mechanism to control against an unauthorized access when it comes to internal users with powerful privileges (such as, a system administrator or a database administrator (DBA)). Access to enterprise information must be planned and limited for a variety of users, whether external and internal, for a variety of reasons. Among these groups, internal users with powerful privileges are the most difficult to manage from an access point of view. Because of their jobs, these type of users will always have an easy access to any type of data in the system. Since there is no such thing as a foolproof access control for these type of users, in this paper we recommend the consideration of the data encryption as the second line of defense. Unfortunately, the encryption of a database as a whole creates additional performance issues. To avoid the performance related issues, the possibility of encrypting selected components of a database, such as rows, columns or even cells should be considered to protect the data from unauthorized accesses.