Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd. Database Vulnerabilities Growth of eBusiness results in more and more sensitive data stored in corporate databases. • • • • Credit card number Account number Password User profile Data is exposed to Internal Intruders • Complete set of data • Sensitive data are stored in clear text • Logically related data are physically stored together • Easy to correlate sensitive data with public data without knowledge of data storage format Problems of Basic Database Security Database security cannot protect sensitive data against: • Attacks that bypass the database engine • Unauthorized access to data files • Abusive use of shared password • Dictionary attack on user password • DBA access Ways to Secure Data Storage • Application level Encryption, use of security APIs to encrypt data before saving to database • Database Encryption – software that tightly integrate with database to provide encryption, transparent to application Overview of Data Storage Protection with Database Encryption Transform existing schema to two layers: • Logical view • Physical table View -- encrypt data Table View decrypt data -- Table Data encrypted at rest in data files • Intruders only see unintelligible text Applications SQL Queries Authenticate Database Table View Public Data Decrypt Private Data Encrypt Authentication Authorization Server Public Data Private Data Advantages of Using Database Encryption Software Application Transparent • • • • Preserves logical schema Existing SQL queries continue to run No re-coding required for legacy applications Access control can be based on existing database security • No need to set up and maintain a separate security policy • Existing users continue to have the same data access rights Considerations – Index Searching Support for Index Searching • Building index on encrypted data • Unable to do wildcard search, < or > comparison since ciphered text cannot preserve order • It is important to select software that can solve the searching problem Considerations - Key Management Fine Grain Security Control • Key Diversification • Different encryption key for different users, tables, columns • Data copied through illegal means to another schema cannot be decrypted • Reduce risk exposure if encryption key is compromised Considerations - Key Management Flexible Key Management • Key Rollover • Multiple Key versions can co-exist • Decryption uses the key version with which the data was encrypted • Encryption always uses the latest version • Data can be re-encrypted over time Considerations - Encryption Methods Software Based Encryption Hardware Based Encryption • Use tamper resistant hardware • Hardware Security Module (HSM) • Secure Token • Smart card • USB token • Store digital certificate • Hardware Accelerator to speed up cryptographic operations • RSA private key not exposed outside hardware • Encryption keys protected even Database stolen Question & Answer Thank you for your time.