Data privacy has senior management visibility as organizations are required to minimize the risk of sensitive data, such as customer payment information or health records being exposed through fraud or data breaches. Complying with the growing data privacy standards and regulations, including CCPA, PCI DSS, GDPR, and HIPAA, is an ever-changing challenge that requires consistent policies and tools that work across the enterprise.
Securing data at the file system level, or in PCI terms ‘data-at-rest’, is possible through encryption by the storage hardware, the operating system, the database server or the application. Encryption when performed by the database server as seen in Oracle, SQL Server, and DB2 is known as transparent data encryption (TDE). Postgres today does not have native TDE capability.
CipherTrust from leading enterprise data security provider Thales secures data-at-rest without requiring changes to the database or associated applications. The solution also includes Vormetric Data Security Manager (DSM) which provides a unified, centralized platform for managing encryption keys and policies across an enterprise’s storage, databases and applications.
EDB has partnered with Thales to bring this security solution to EDB Postgres Advanced.
Before announcing the joint solution to our customers, EDB and Thales put it through a validation process. The goal here was to prove out that VTE’s granular, least-privileged user access policies worked as expected with EDB Postgres Advanced Server, along with seeing auditing and encryption key management in operation.
My colleagues Tushar Ahuja and Rajkumar Raghuwanshi have blogged details of the validation effort along with performance impact on our sample application with the solution enabled. As the saying goes, performance will vary with your specific workload. Overall we were pleased with the results.
Implementing the CipherTrust solution requires the following components:
1. EDB Postgres Advanced installed and in operation.
2. Vormetric Data Security Platform (DSM) installed and operational.
3. A VTE agent on the Postgres host registered to the DSM.
A good resource from Thales is the Vormetric Guide: VTE Implementation for Postgres.
Peace of Mind
If you are following best practices with layers of protection for securing data from attack, including VTE enables you to answer data-at-rest security concerns. If you are already using Thales to manage data security policies in your enterprise, this validated solution enables you to extend your implementation to include EDB Postgres Advanced Server. The Thales and EnterpriseDB partnership gives you the peace of mind that your Postgres data is secure and supported.