Businesses handle an enormous amount of data. All of this data is stored in hundreds or even thousands of databases, so it’s impractical for a database administrator to oversee the security of these databases with only basic access control functions. Instead, businesses are realizing that data encryption is a must-have component to their existing cyber security strategies. DB encryption ensures that a database is being protected even if hackers somehow replicate the database or move it to another location.
While critical to a business’s cyber security strategy, DB encryption isn’t always deployed by businesses. But thankfully, there is a positive trend occurring: in the past few years database encryption usage among businesses in the US has risen from 42% to 61%. This blog post will address five misconceptions that put to rest some concerns businesses may have before implementing DB encryption.
1. I use SSL so I don’t need DB encryption
SSL involves encrypting communication between a web user and web browser, but does not take into account data that is at “rest,” or data that is stored in a database. In other words, SSL ensures secure connection for the data that is in motion (at the time that requests are being made to the web browser). SSL is important for encrypting web traffic but there is also unprotected data that is being stored either on a disk or database which SSL does not take into account and therefore needs added protection.
2. If I use DB encryption, database performance will degrade
The performance of a database is determined by multiple factors such as excessive indexing and inefficient memory allocation. While businesses may be reluctant to incorporate database encryption into their existing security deployments due to performance or latency concerns, businesses should be reminded that it really depends on the type of DB encryption solution a business decides to utilize, whether that be file-level or column-level encryption. Typically, file-level encryption is the least resource intensive and has the least effect on the overall performance of a database.
3. Encrypting the database is enough protection for my website
Even if the security of a database is compromised, the database will be protected if the information inside is encrypted. But this doesn’t mean that the website itself will be safe should it come under attack. Thankfully, with no access to the decryption key, a hacker cannot read files that are encrypted in a stored database. Businesses can rest assured that their most sensitive data is being protected. However, the website can still be brought down by attacks. In order to protect web applications (i.e. websites) an additional security solution will be needed.
4. DB encryption and key management requires hardware appliances, which is inconvenient
These days it’s pretty common for key management solutions to be available in a variety of both hardware and cloud platforms. But it mostly depends on where a business may be storing company data or what kind of needs they have. Not all businesses have their own data center. Instead, many rely on some kind of Software-as-a-service (SaaS) solution, removing the need to rely on hardware appliances. Therefore, it’s less likely that the traditional key management solution is implemented internally.
5. DB encryption is too complicated and requires modifications to my current operating system
Once a business answers basic questions like what kind of data needs to be encrypted and who should have authorized access to it, database encryption should not be complicated. Encryption is made easy thanks to the readily available tools in the market that cater to the needs of each business. There are plenty of DB encryption solutions that reside beneath the application layer, thereby eliminating the need to make modifications to a business’s operating system or storage. If an encryption engine is supplied for example, then no source code changes to the database environment or application are required.
Businesses should not shy away from using DB encryption due to these common misconceptions. DB encryption is not so much of a trend than it is a security necessity for all businesses. The drivers for using database encryption come down to compliance requirements and businesses recognizing the need to protect specific data types. So whether it’s to meet industry standards or to safeguard sensitive information, DB encryption is here to stay.