Given their role as a repository for sensitive data, it is critical for organizations to secure their databases. Headlines regularly feature data breaches perpetrated by hackers using any number of highly effective methods. Recent history has shown that these breaches grow and become more severe with each passing year. Yet, threats exist internally to each organization where security professionals prepare for the risks posed by those internal to their organizations who hold privileged access to infrastructure, applications and systems.
Data Security Compliance
All of this exists in conjunction with the varied regulatory obligations that these organizations face on this data. Not only must they take steps to secure specific categories of data, they must also have records that show both how they are securing their data and that the security is effective. In attempts to keep up with the pace of change, new regulations continue to emerge from the EU’s GDPR to more recent legislation like California’s CCPA, India’s DPB, and Brazil’s LGPD. Sum total: this is no small feat for any individual or organization.
Using Encryption as a Secret Weapon
While effective database security will involve a range of solutions, one fundamental tool that security teams have in their toolbox is data-at-rest encryption. To be more specific, data-at-rest encryption backed by access control policies. Encryption uses a specific secret known as a key to transform data into an unreadable state. The only way for a user to return the data to a readable state—or decrypt it—is to have access to that specific secret or key. By virtue of protecting the encryption key, the security team will protect their secured data.
The catch is that this security is binary by nature. Either a user or process has access to a key or it does not. So, all attention turns to the key; this is where access controls become important. With access controls, the question is no longer, “is the key available” but “to whom, when, and with what tool is the key available.” From there, security professionals have far greater control of their data, and greater confidence that their data is safe.
Organizations define policies to determine data access. They can define that certain applications have access to the encryption key to read and write data, while other applications—say for analytics—can only read data. These policies can specify that a system administrator can back-up or restore a database, without ever being allowed the necessary key access to read data in cleartext. These controls allow organizations to narrow access to the data according to principles of least privilege without impeding how operations and job functions come together. In practice, it’s also important to note that effective controls remain transparent to end-users or processes and do not adversely impact operations.
Many encryption solutions involve both an encryption client and a key management server. The client sits in the location where encryption and decryption operations are to take place. Generally, access policies are defined on the key manager and then pushed to the respective clients. Each time data is requested, the request is compared against the policies and granted or denied according to those definitions. Often these key managers integrate with user directories such as Active Director or LDAP so that it is possible to use existing user profiles to define access according to process, job function or area of responsibility.
What Enhanced Security Really Means
Why is defining policies valuable? Though the inner-workings of these clients and key managers are complex, the end user’s experience is seamless. For many solutions, agents can deploy without requiring changes to application or database architectures. This allows them to operate normally and for all users to proceed with their functions as they would in their daily routines.
Access control policies do more than just provide additional protection against hackers; they also help organizations protect their sensitive data from administrators from abusing privileges that may be necessary for their job function. Access policies can define that an administrator may have access to all of the infrastructure that they need to monitor without having access to the data in cleartext formats. These policies allow for separation of duties that ensure proper security.
Because these clients monitor data access, they collect important information on who is accessing data, when they are accessing it, and in many cases, how. When captured in aggregate, this information offers security personnel incredible visibility into who is using data and how. This information is usually captured in logs that then become the basis for much of an organization’s compliance reporting.
In the case of a client-side agent, it can provide information on data access. Whereas, in the case of the key manager, it can provide information and logs on encryption key usage, creation, deletion as well as on the policies that are associated with those actions and keys.
Organizations have the ability to export this information into their SIEM platforms or risk management tools to maintain their visibility of their data and its security. Many regulations specify data control as an obligation; these logs become the basis for demonstrating that control.