Government and industry mandates coupled with the fear of a data breach have made it more important than ever for financial organizations to protect their data. Encryption can go a long way toward protecting that data. However, a broad "encrypt everything" strategy is rarely an effective one, as there are database and storage performance penalties for encrypting too much data.
For that reason, determining what data to encrypt and where to keep it is a vital early step in the encryption deployment process.
Before getting started with products, work with your organization's legal counsel to determine what data will be protected and where the protection should be located. Will data be protected both "in motion" and "at rest," or just in the database itself? Will all data or just some data be protected? If you have a storage area network (SAN), encrypting data in flight may be the best decision. If you are using database software that has an encryption option, that might be the best decision. It's possible your storage array already supports encryption.
Next, specifically establish a database encryption strategy. Determine which fields and columns contain sensitive information in need of encryption and then create policies that encrypt the data as it is modified in or transmitted from the fields and column.
Encrypting only the fields that contain sensitive data is a wise best practice, as it will minimize the number of bytes encrypted and exact the smallest possible performance impact on your inf
To continue reading for free, register below or login
To read more you must become a member of SearchFinancialSecurity.com
rastructure.
When it's time to choose a technology, there are three distinct ways in which database encryption can be implemented:
Encryption implications
There may be no perfect choice when it comes to an encryption product. For instance, a network-attached encryption appliance, including those from Ingrian Networks, Vormetric or nCipher, resides on the network, where it houses the encryption keys and executes all the cryptographic operations. When a user requests encrypted data, the appliance manages the retrieval of the data, authenticates the user to the system and decrypts the data. Because all data flows through it on the way to the storage media, system performance may be affected.
Disk space also an issue in database encryption, as encrypted data fields are larger than unencrypted fields. Encrypting only those fields that contain sensitive information may be the way to go, as the less data being encrypted, the smaller the performance task. Encrypting data with a separate appliance can also be a costly affair that adds administrative overhead to the network.
While broad, across-the-board encryption strategies are often burdensome and unnecessary, partial encryption of data on disk or of sensitive database fields, rows and columns may be a panacea for many financial institutions, where so much information needs to be protected and encrypted.
About the author:
Deni Connor is principal analyst for Storage Strategies Now, a research firm in Austin, Texas.
