Summary:
- Many security assessments ask a simple question whether your data is encrypted at-rest and/or encrypted in-transit, because of the widely believed misconception that once our data is encrypted at-rest and in-transit, our data is safe and secure
- Technologies like Transparent Data Encryption (TDE) are implemented to meet the encryption at-rest requirement, and Transport Layer Security (TLS, aka HTTPS) is implemented to meet the encryption in-transit requirement, but they leave open vulnerabilities in data protection. That’s why so many data breach incidents are still occurring every day, even when technologies like TDE and TLS are widely adopted
In the evaluation of data security solutions, there are generally two important dimensions to consider to establish the fit for the security solutions that you are choosing:
- What (or how many) attack vectors does the solution protect against?
- How seamless is the solution to integrate into my current environment?
Transparent Data Encryption is one way to encrypt the data in your database to protect your data against certain attack vectors. One of the nice elements of TDE is how simple it is to integrate. You simply turn on the function and your data is encrypted at the file system level (encrypted at-rest). Where it woefully falls short is the number of likely attack vectors that it protects against. Essentially, TDE is encrypting the data as it sits on the physical storage devices. However, the moment the data is called by the database engine, the data is decrypted as it is stored and used in the memory by the database engine. So essentially, TDE is protecting against someone stealing your physical storage devices or taking an image of the physical storage device, but that is not a common attack vector these days.
IT departments often rely on TLS connections to cover the encryption in-transit requirement, however, this leaves open all the vulnerabilities related to memory based (zero-day, worm, etc.) attacks. When network security controls and/or account credentials are compromised via spear phishing attempts or any other hacking techniques, the sensitive data can be exfiltrated, even with the use of TLS. While TLS meets the minimum requirements of an “encrypted in-transit” requirement, it does not mean that your data is fully protected.
At the end of the day, what is needed is a data security system that keeps sensitive data encrypted all of the time in the most seamless manner for use with today’s applications. The data should only be decrypted when it is needed by an authorized user and should be encrypted at all other times. When this is done in an application friendly manner, it creates a seamless integration with existing IT environments while protecting against the most attack vectors possible (including internal and spear phishing compromises).
TDE really is the most seamless implementation of encryption for achieving the encryption at-rest requirement. However, it really does not provide much data protection against real attack vectors that are in use today. And while TLS often meets the minimum requirement for protecting data in-transit, it too leaves open a number of known vulnerabilities related to insider and spear phishing attacks. A true data security platform is going to keep the data encrypted all the times, up until an authorized user needs to see it. This is the only method which will close the gap on the remaining data security vulnerabilities while keeping implementation costs low.