Tamperproof Database Encryption
Database Encryption and Column-level Privacy Controls
Hackers love databases: information is the lifeblood of the digital economy and databases concentrate information. It is not a secret that data breaches are rapidly increasing with no shortage of unscrupulous actors being attracted by the allure of high potential payouts with low physical risk.
Naturally, database protection is now a high priority and for organizations that simply want to tick the ‘database encrypted’ box there are many options including database-native Transparent Data Encryption (TDE) from vendors such as Oracle and Microsoft.
For customers who want to get serious about protecting their data assets, Randtronics DPM offers a systemic approach to data privacy management that includes an all-encompassing form of TDE that both protects databases and all other locations (database servers, file stores, app servers, laptops) where sensitive data is stored, along with an easy upgrade path to also implement enterprise key management and data spoofing (encryption, tokenization, masking, pseudonymization and anonymization) to protect data-at-rest stored on-premise, in-cloud or within containers.
Transparent Data Encryption (TDE) as provided by database vendors (Native TDE) protects internal data but does not protect the environment supporting the database structure:
- Echos and traces of database records and activities are created and stored on the database server and shared on other devices such as file server, cloud storage and laptops.
- Native TDE protects the internal database contents; protecting anything outside of the database, is somebody else’s problem.
- Sophisticated attackers can dumpster-dive database, web app and file servers for data copies stored in reports, test or analytics systems.
- Privileged DBA accounts (if compromised) can extract or change data and cover their tracks by altering log files.
- Privileged Sys Admin accounts (if compromised) can copy entire databases, along with their TDE encryption keys which are often stored as clear data on the same database server.
For organizations protecting highly sensitive information, this is equivalent to leaving sensitive reports in a non secure environment and forgetting to shred documents before disposal.
Randtronics DPM easyCipher protects your sensitive data everywhere
For customers already using database-native TDE and wishing to further reduce their attack surface by extending TDE coverage beyond the database and enforcing role-separation – DPM easyCipher offers an easy to implement, simple to manage solution:
- Extend TDE coverage: protect encryption keys, log files, config files, application secrets, passwords, reports and file stores
- Enforce role-separation: place responsibility for data privacy control away from DB Administrators and Systems Administrators
- Easy to implement, simple to manage: no-code changes or business process redesign required, product administration requires minimal training
For customers using database-native TDE who now wish to tighten the protection of encryption keys and certificates whilst simplifying the management process, including hardware security module (HSM) key management (if present) – DPM easyKey offers scalable, enterprise key management.
For customers seeking to rationalize TDE technologies and skill sets – the DPM suite offers a standardized encryption solution for protecting data in any file store, multi-vendor databases or app servers – located on any platform:
- No-code TDE for all databases (Oracle, MS SQL Server, MySQL, Postgres, DB2, SAP Hana, any other database, agnostic to versions and editions), server-based file stores and laptops
- No-code change column-level encryption and other field-level protections (FLP) for MS-SQL Server and Oracle Database and flat files
- Low-code API protection for any field-level protection (FLP) for any application-database stored anywhere
Randtronics DPM easyCipher can assist easily without any code or business process changes.
DPM products enables customers to implement best practice security principle guidelines for policy-based key management, and policy-based data encryption.
For customers seeking to protect database contents at the column level, DPM also provides column level encryption, tokeniztion masking, and anonymization,
DPM enforces access control and separation of duties and maintains a full audit trail.
Implementing effective encryption that locks down access to sensitive data everywhere does not have to be hard, nor require difficult to source skills – Randtronics DPM runs on same standard Windows/ Linux/ database operating environments (SOE) that are familiar to most IT organizations.
Randtronics DPM easyCipher provides:
- a multi-vendor database encryption solution that is simple to understand and implement enterprise-wide with minimal impact on query types or performance
- consistent policy-based encryption application to all databases, app servers, files-stores and laptops
Latest news and articles
This week the news broke that Mandiant (an incident response firm) attributed the recent cyberattack campaign targeting customers utilizing Barracuda’s Email Security Gateway to hackers