Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 214 times |
Download: | 0 times |
Database Vulnerabilities
Growth of eBusiness results in more and more sensitive data stored in corporate databases.• Credit card number• Account number• Password• User profile
Data is exposed to Internal Intruders• Complete set of data• Sensitive data are stored in clear text• Logically related data are physically
stored together• Easy to correlate sensitive data with
public data without knowledge of data storage format
Database security cannot protect sensitive data against:• Attacks that bypass the database engine• Unauthorized access to data files• Abusive use of shared password• Dictionary attack on user password• DBA access
Problems of Basic Database Security
Ways to Secure Data Storage
• Application level Encryption, use of security APIs to encrypt data before saving to database
• Database Encryption – software that tightly integrate with database to provide encryption, transparent to application
Overview of Data Storage Protection with Database Encryption
Transform existing schema to two layers:• Logical view• Physical table
View -- encrypt data TableView decrypt data -- TableData encrypted at rest in data files
• Intruders only see unintelligible text
Applications
View
Database Table
Public Data Private Data
Public Data Private Data
AuthenticateSQL Queries
AuthenticationAuthorization
Server
Encrypt
Decrypt
Advantages of Using Database Encryption Software
Application Transparent• Preserves logical schema• Existing SQL queries continue to run• No re-coding required for legacy applications• Access control can be based on existing
database security• No need to set up and maintain a separate security
policy• Existing users continue to have the same data access
rights
Considerations – Index Searching
Support for Index Searching• Building index on encrypted data• Unable to do wildcard search, < or >
comparison since ciphered text cannot preserve order
• It is important to select software that can solve the searching problem
Considerations - Key Management
Fine Grain Security Control• Key Diversification
• Different encryption key for different users, tables, columns
• Data copied through illegal means to another schema cannot be decrypted
• Reduce risk exposure if encryption key is compromised
Considerations - Key Management
Flexible Key Management• Key Rollover• Multiple Key versions can co-exist• Decryption uses the key version with
which the data was encrypted• Encryption always uses the latest version• Data can be re-encrypted over time
Considerations - Encryption Methods
Software Based EncryptionHardware Based Encryption
• Use tamper resistant hardware• Hardware Security Module (HSM)• Secure Token
• Smart card• USB token
• Store digital certificate• Hardware Accelerator to speed up cryptographic
operations• RSA private key not exposed outside hardware• Encryption keys protected even Database stolen