Increasing security breaches are making security get more attention and budget than ever. Data encryption is, along with authentication, authorization and audit, one of the 4 pillars of database security.
Photo credits: istock CrulUA
Fortalecer la seguridad de la databaseA database is an organized set of information that allows you to store, Manage and retrieve data efficiently. Used in various applications, from enterprise systems to online platforms, Databases can be relational or non-relational. Proper design is critical to optimizing performance and ensuring information integrity, thus facilitating informed decision-making in different contexts.... necesita experiencia técnica y privilegios elevados. Many aspects of database security require different utilities, system procedures and command implementation. But when users require access to multiple databases on multiple servers, distributed in different physical locations, database security gets even more complicated. Cualquier measureThe "measure" it is a fundamental concept in various disciplines, which refers to the process of quantifying characteristics or magnitudes of objects, phenomena or situations. In mathematics, Used to determine lengths, Areas and volumes, while in social sciences it can refer to the evaluation of qualitative and quantitative variables. Measurement accuracy is crucial to obtain reliable and valid results in any research or practical application.... de seguridad que se tome a nivel de usuario deberá repetirse en cada una de las bases de datos and there is no central repository where it is easy to modify and delete user security settings.
What is data encryption?
From a high-level point of view, database security comes down to responding 4 questions:
- Who is it? -> User authentication
- Who can do it? -> Authorization to users
- Who did it? -> Audit
- Who can see it? -> Data encryption
Encryption is the procedure of obfuscating data through the use of a key or password that guarantees that those who access it without the proper password, can't find any use in them. since it is impossible to decipher its content. As an example, in the event that the database host computer was misconfigured and confidential data was obtained by a hacker, that stolen information would be totally useless if it was encrypted.
When considering data encryption, you should pay attention that:
- Encryption does not solve access control problems.
- This option improves security by limiting data loss even if those controls were bypassed.
These limitations are covered by another technique, the of data masking, which for this purpose does offer greater security coverage.
Data encryption key management
Encryption in a database can be applied to:
- Stored Procedures.
For data encryption to be effective, when managing it, attention should be paid 4 keys:
a strategy.
Data encryption is not as effective if it is not understood as part of an information security strategy. In this plan, key management should be at the center of the organization's IT security infrastructure, since encryption is unbreakable. The key management system becomes a natural target for those looking for a way to access the company's informational assets... Some of the best practices are:
- Avoid using software for key storage and replace it with hardware.
- Keep a hard copy of the paper security policies.
- Don't forget the relevance of security audits.
b) Authentication.
The threat comes from within in more cases than imaginable and, therefore, must authenticate administrators and ensure separation of duties. Don't be too trusting since even a physically secure key management system can be compromised if the administrator's access controls are not strong enough. In this aspect, institutions should:
- Find alternatives to increase the reliability and strength of authentication techniques for administrators.
- Employ different administrator access controls for encrypted data and provide controllers with access to keys.
c) Automation.
There are more and more keys, more passwords and, instead of strengthening security, may be weakened by increasing complexity, if this implies the appearance of errors. Automating key management tasks saves costs and increases information protection, an easy-to-apply solution, since most password management tasks focus on established procedures.
This decision guarantees very good results and Exceptions should only apply, in the case of emergency situations or when it is an urgent request for access to data.. In these kinds of circumstances, a comprehensive key management strategy should be used, to facilitate the location of passwords for backups created weeks, months or several years before.
d) Record.
Keeping a log of key management activities is essential to avoid potential problems from key destruction. Habitually, devices containing sensitive information deteriorate until they become unusable. Despite this, this status does not imply that they are no longer a potential source of data loss.. The physical destruction of the hardware cannot destroy the information it contains and, for that purpose, data encryption provides a highly effective means of ensuring the protection of company information assets since, destroying the key is effectively destroying the data.
The trade-off is that, anyway, It is imperative that the organization can demonstrate that every copy of the key that was made has been destroyed, and should be able to prove it, something that is only feasible when you have a strong audit trail. To avoid the consequences of the loss of data or keys, it is necessary to act on three levels:
- Do good key management.
- Maintain a record that allows the monitoring of all activities in connection with key management.
- Never forget to destroy the key when you want to permanently erase the associated data.
