Given the vital records databases hold, these systems often represent one of the most critical areas of exposure for an organization. Consequently, as organizations look to comply with security best practices and regulatory mandates, database encryption is becoming increasingly common—and critical. Today, security teams looking to employ database encryption can choose from several alternatives. This paper provides a high level comparison of two approaches: Microsoft’s native encryption capabilities for SQL Server and the SafeNet DataSecure platform.
SafeNet dramatically reduces the cost and complexity of PCI compliance with the most complete and easy to manage data protection solution. With SafeNet, merchants, banks, and payment processors can protect sensitive data at rest, in use and in transit to meet the most challenging PCI security requirements.
Gemalto is an international digital security company providing software applications, secure personal devices such as smart cards and tokens, and managed services. It is the world’s largest manufacturer of SIM cards.
Visit: http://www.gemalto.com/
SafeNet Enterprise Key and Crypto ManagementSectricity
With SafeNet, organizations can centrally, efficiently, and securely manage cryptographic keys and policies—across the key management lifecycle and throughout the enterprise. SafeNet's data center protection solutions are designed to secure all of the sensitive information that is stored in and accessed from enterprise data centers, including patient records, credit card information, social security numbers, and more.
Get to know which security standards are applicable to OpenStack clouds
Evgeniya Shumakher, Mirantis
Compliance with critical industry and regulatory standards used to be mostly the concern of application makers and customers integrating their solutions. Cloud computing – especially IaaS – has made things a lot more complicated. Meanwhile, emerging cloud-specific standards, like FedRAMP or CSA cloud security guidelines, are suggesting new, complex and stringent requirements – while also offering critical guidance.
The presentation offers an inside look at the process:
The most important compliance and security standards for cloud builders,
Where existing OpenStack resources can fully or partially solve common compliance problems
Where standards support within OpenStack is currently thin
The common workflow for architecting standards-compliant clouds,
Common risks and emerging opportunities.
Take a closer look at PCI Compliance for private OpenStack clouds
Scott Carlson, PayPal
PCI Compliance is very important for large financial institutions. As one of the larger installations of OpenStack within the Financial space, PayPal has driven forward the PCI conversation and will be sharing the technical perspective on the following related to PCI and OpenStack Private Clouds:
How does OpenStack fit into an existing PCI-Compliant Environment
When there is not an external Cloud Service Provider, how does your team need to compensate
What are the design choices required to continue to be PCI-Compliant
Physical versus Logical devices
Hypervisor versus Guest compliance
Management Networks for PCI and non-PCI Zones
The case study won’t give a fully prescriptive talk on how to obtain PCI compliance, because there is a lot more to gaining compliance than just making your cloud compliant, but will help to understand:
Where existing OpenStack resources can fully or partially solve PCI compliance problems,
Where OpenStack community needs to join together to solve in order to continue growth
into PCI-compliant spaces.
PCI DSS v 3.0 and Oracle Security MappingTroy Kitch
Recent retail data breaches serve as a sobering reminder that the retail industry continues to be a key target of cybercriminals in 2014. In fact, according to the recent Verizon Data Breach Investigations Report, nearly a quarter of all data breaches occurred in retail environments and restaurants. What can organizations do to lower their risk? Watch this slideshare to learn more.
SafeNet dramatically reduces the cost and complexity of PCI compliance with the most complete and easy to manage data protection solution. With SafeNet, merchants, banks, and payment processors can protect sensitive data at rest, in use and in transit to meet the most challenging PCI security requirements.
Gemalto is an international digital security company providing software applications, secure personal devices such as smart cards and tokens, and managed services. It is the world’s largest manufacturer of SIM cards.
Visit: http://www.gemalto.com/
SafeNet Enterprise Key and Crypto ManagementSectricity
With SafeNet, organizations can centrally, efficiently, and securely manage cryptographic keys and policies—across the key management lifecycle and throughout the enterprise. SafeNet's data center protection solutions are designed to secure all of the sensitive information that is stored in and accessed from enterprise data centers, including patient records, credit card information, social security numbers, and more.
Get to know which security standards are applicable to OpenStack clouds
Evgeniya Shumakher, Mirantis
Compliance with critical industry and regulatory standards used to be mostly the concern of application makers and customers integrating their solutions. Cloud computing – especially IaaS – has made things a lot more complicated. Meanwhile, emerging cloud-specific standards, like FedRAMP or CSA cloud security guidelines, are suggesting new, complex and stringent requirements – while also offering critical guidance.
The presentation offers an inside look at the process:
The most important compliance and security standards for cloud builders,
Where existing OpenStack resources can fully or partially solve common compliance problems
Where standards support within OpenStack is currently thin
The common workflow for architecting standards-compliant clouds,
Common risks and emerging opportunities.
Take a closer look at PCI Compliance for private OpenStack clouds
Scott Carlson, PayPal
PCI Compliance is very important for large financial institutions. As one of the larger installations of OpenStack within the Financial space, PayPal has driven forward the PCI conversation and will be sharing the technical perspective on the following related to PCI and OpenStack Private Clouds:
How does OpenStack fit into an existing PCI-Compliant Environment
When there is not an external Cloud Service Provider, how does your team need to compensate
What are the design choices required to continue to be PCI-Compliant
Physical versus Logical devices
Hypervisor versus Guest compliance
Management Networks for PCI and non-PCI Zones
The case study won’t give a fully prescriptive talk on how to obtain PCI compliance, because there is a lot more to gaining compliance than just making your cloud compliant, but will help to understand:
Where existing OpenStack resources can fully or partially solve PCI compliance problems,
Where OpenStack community needs to join together to solve in order to continue growth
into PCI-compliant spaces.
PCI DSS v 3.0 and Oracle Security MappingTroy Kitch
Recent retail data breaches serve as a sobering reminder that the retail industry continues to be a key target of cybercriminals in 2014. In fact, according to the recent Verizon Data Breach Investigations Report, nearly a quarter of all data breaches occurred in retail environments and restaurants. What can organizations do to lower their risk? Watch this slideshare to learn more.
This is the Fourth Chapter of Cisco Cyber Security Essentials course Which discusses the implementation aspects of Confidentiality via Encryption, Access Control Techniques
The past, present, and future of big data securityUlf Mattsson
ONE OF THE BIGGEST REMAINING CONCERNS REGARDING HADOOP, PERHAPS SECOND ONLY TO ROI, IS SECURITY.
The Past, Present, and Future of Big Data SecurityWhile Apache Hadoop and the craze around Big Data seem to have exploded out into the market, there are still a lot more questions than answers about this new environment.
Hadoop is an environment with limited structure, high ingestion volume, massive scalability and redundancy, designed for access to a vast pool of multi-structured data. What’s been missing is new security tools to match.
Read more in this article by Ulf Mattsson, Protegrity CTO, originally published by Help Net Security’s (IN)SECURE Magazine.
Multi-part Dynamic Key Generation For Secure Data EncryptionCSCJournals
Storage of user or application-generated user-specific private, confidential data on a third party storage provider comes with its own set of challenges. Although such data is usually encrypted while in transit, securely storing such data at rest presents unique security challenges. The first challenge is the generation of encryption keys to implement the desired threat containment. The second challenge is secure storage and management of these keys. This can be accomplished in several ways. A naive approach can be to trust the boundaries of a secure network and store the keys within these bounds in plain text. A more sophisticated method can be devised to calculate or infer the encryption key without explicitly storing it. This paper focuses on the latter approach. Additionally, the paper also describes the implementation of a system that in addition to exposing a set of REST APIs for secure CRUD operations also provides a means for sharing the data among specific users.
Securing data today and in the future - Oracle NYCUlf Mattsson
NYOUG - New York Oracle Users Group:
- Risks Associated with Cloud Computing
- Data Tokens in a Cloud Environment
- Data Tokenization at the Gateway Layer
- Data Tokenization at the Database Layer
- Risk Management and PCI
Title: What I Learned at Gartner Summit 2019
Abstract:
The Gartner Summit 2019 agenda featured five comprehensive programs to cover your security and risk management key priorities and challenges. Digital transformation continues to challenge the conventions of information risk and security management. It requires a coherent digital security program based on a clear vision and strategy. Businesses have been inundated with information on what recent privacy laws like GDPR and CCPA require, but many are still trying to figure out how to comply with them on a practical level.
The new Verizon Data Breach Investigations Report (DBIR) provides perspectives on how Criminals simply shift their focus and adapt their tactics to locate and steal the data they find to be of most value.
Gartner includes data ethics and privacy on their list of the top 10 strategic technology trends of 2019, placing it on the same level as AI-driven development, blockchain, and edge computing. Many companies are focusing on data privacy from the legal and security side, which are foundational, but are missing the focus on data.
The cloud, SaaS applications, and user mobility are powerful enablers of digital transformation, but many IT organizations are grappling with legacy network and security architectures that haven't evolved in decades. In the era of Cloud 3.0, companies are re-imagining business processes from and for the cloud. With these new opportunities comes a new cybersecurity reality for IT leaders in a hybrid, multicloud world. At a minimum, cloud computing breaks into 3 primary layers: SaaS, PaaS and IaaS.
This presentation will explain primary security controls. You’ll learn how to take a strategic approach to risk, improve business and data resilience, build digital trust and implement a new generation of continuously adaptive security strategies. Cloud security remains a top priority. This presentation summarizes the problems, recommended processes, and new product types to address key issues.
Emerging Data Privacy and Security for CloudUlf Mattsson
Title "Emerging Data Privacy and Security for Cloud"
Abstract:
Personal data privacy will be the most prominent issue affecting how businesses gather, store, process, and disclose data in public cloud. Gartner includes data ethics and privacy on their list of the top 10 strategic technology trends of 2019, placing it on the same level as AI-driven development, blockchain, and edge computing. Businesses have been inundated with information on what recent privacy laws like GDPR and CCPA require, but many are still trying to figure out how to comply with them on a practical level. Many companies are focusing on data privacy from the legal and security side, which are foundational, but are missing the focus on data. The good news is that these data privacy regulations compel businesses to get a handle on personal data — how they get it, where they get it from, which systems process it, where it goes internally and externally, etc. In other words, the new norms of data privacy require proactive data management, which enables organizations to extract real business value from their data, improve the customer experience, streamline internal processes, and better understand their customers.
Companies continue to transition to more costefficient cloud-based solutions, their email and other valuable data migrate along with them. The new Verizon Data Breach Investigations Report (DBIR) provides perspectives on how Criminals simply shift their focus and adapt their tactics to locate and steal the data they find to be of most value.
Differential privacy, Tokenization, Homomorphic encryption, and Privacy-preserving computation are often discussed in the context of identifying individuals whose information may be in a database. Secure multi-party computation (also known as secure computation, multi-party computation (MPC), or privacy-preserving computation) is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private.
We will discuss how these emerging data privacy technologies can limit the privacy impact on individuals whose information is in a database. Let’s break down the differences and see where these techniques fit best in an organization’s security and privacy strategy and align with privacy law requirements.
You will learn
- The latest trends and strategies for securing sensitive data in cloud and the enterprise
- How to discover and capture your data inventory
- What’s needed to prevent a data breach by securing your critical data and protect your reputation
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
To ensure their compliance with the PCI Data Security Standard, many businesses have turned to SafeNet technology for a solution. To meet these demands, SafeNet offers a range
of products, proprietary and through partner alliance. SafeNet, a global leader in information security, provides the industry’s most comprehensive range of solutions to help companies achieve compliance with the PCI Data Security Standard. Through its own proven set of products, along with an extensive partner network, SafeNet can provide merchants with the assurance that sensitive and valuable cardholder information is protected from all types of threats, and that regulatory compliance is not only being met, but
exceeded.
Data centric security key to digital business success - ulf mattsson - bright...Ulf Mattsson
With the exponential growth of data generation and collection stemming from new business models fueled by Big Data, cloud computing and the Internet of Things, we are potentially creating a cybercriminal's paradise where there are more opportunities than ever for that data to end up in the wrong hands. The biggest challenge in this interconnected world is merging data security with data value and productivity. If we are to realize the benefits promised by these new ways of doing business, we urgently need a data-centric strategy to protect the sensitive data flowing through these digital business systems. In this webinar, Ulf Mattsson explores these issues and provides solutions to bring together data insight and security to safely unlock the power of digital business.
This is the Fourth Chapter of Cisco Cyber Security Essentials course Which discusses the implementation aspects of Confidentiality via Encryption, Access Control Techniques
The past, present, and future of big data securityUlf Mattsson
ONE OF THE BIGGEST REMAINING CONCERNS REGARDING HADOOP, PERHAPS SECOND ONLY TO ROI, IS SECURITY.
The Past, Present, and Future of Big Data SecurityWhile Apache Hadoop and the craze around Big Data seem to have exploded out into the market, there are still a lot more questions than answers about this new environment.
Hadoop is an environment with limited structure, high ingestion volume, massive scalability and redundancy, designed for access to a vast pool of multi-structured data. What’s been missing is new security tools to match.
Read more in this article by Ulf Mattsson, Protegrity CTO, originally published by Help Net Security’s (IN)SECURE Magazine.
Multi-part Dynamic Key Generation For Secure Data EncryptionCSCJournals
Storage of user or application-generated user-specific private, confidential data on a third party storage provider comes with its own set of challenges. Although such data is usually encrypted while in transit, securely storing such data at rest presents unique security challenges. The first challenge is the generation of encryption keys to implement the desired threat containment. The second challenge is secure storage and management of these keys. This can be accomplished in several ways. A naive approach can be to trust the boundaries of a secure network and store the keys within these bounds in plain text. A more sophisticated method can be devised to calculate or infer the encryption key without explicitly storing it. This paper focuses on the latter approach. Additionally, the paper also describes the implementation of a system that in addition to exposing a set of REST APIs for secure CRUD operations also provides a means for sharing the data among specific users.
Securing data today and in the future - Oracle NYCUlf Mattsson
NYOUG - New York Oracle Users Group:
- Risks Associated with Cloud Computing
- Data Tokens in a Cloud Environment
- Data Tokenization at the Gateway Layer
- Data Tokenization at the Database Layer
- Risk Management and PCI
Title: What I Learned at Gartner Summit 2019
Abstract:
The Gartner Summit 2019 agenda featured five comprehensive programs to cover your security and risk management key priorities and challenges. Digital transformation continues to challenge the conventions of information risk and security management. It requires a coherent digital security program based on a clear vision and strategy. Businesses have been inundated with information on what recent privacy laws like GDPR and CCPA require, but many are still trying to figure out how to comply with them on a practical level.
The new Verizon Data Breach Investigations Report (DBIR) provides perspectives on how Criminals simply shift their focus and adapt their tactics to locate and steal the data they find to be of most value.
Gartner includes data ethics and privacy on their list of the top 10 strategic technology trends of 2019, placing it on the same level as AI-driven development, blockchain, and edge computing. Many companies are focusing on data privacy from the legal and security side, which are foundational, but are missing the focus on data.
The cloud, SaaS applications, and user mobility are powerful enablers of digital transformation, but many IT organizations are grappling with legacy network and security architectures that haven't evolved in decades. In the era of Cloud 3.0, companies are re-imagining business processes from and for the cloud. With these new opportunities comes a new cybersecurity reality for IT leaders in a hybrid, multicloud world. At a minimum, cloud computing breaks into 3 primary layers: SaaS, PaaS and IaaS.
This presentation will explain primary security controls. You’ll learn how to take a strategic approach to risk, improve business and data resilience, build digital trust and implement a new generation of continuously adaptive security strategies. Cloud security remains a top priority. This presentation summarizes the problems, recommended processes, and new product types to address key issues.
Emerging Data Privacy and Security for CloudUlf Mattsson
Title "Emerging Data Privacy and Security for Cloud"
Abstract:
Personal data privacy will be the most prominent issue affecting how businesses gather, store, process, and disclose data in public cloud. Gartner includes data ethics and privacy on their list of the top 10 strategic technology trends of 2019, placing it on the same level as AI-driven development, blockchain, and edge computing. Businesses have been inundated with information on what recent privacy laws like GDPR and CCPA require, but many are still trying to figure out how to comply with them on a practical level. Many companies are focusing on data privacy from the legal and security side, which are foundational, but are missing the focus on data. The good news is that these data privacy regulations compel businesses to get a handle on personal data — how they get it, where they get it from, which systems process it, where it goes internally and externally, etc. In other words, the new norms of data privacy require proactive data management, which enables organizations to extract real business value from their data, improve the customer experience, streamline internal processes, and better understand their customers.
Companies continue to transition to more costefficient cloud-based solutions, their email and other valuable data migrate along with them. The new Verizon Data Breach Investigations Report (DBIR) provides perspectives on how Criminals simply shift their focus and adapt their tactics to locate and steal the data they find to be of most value.
Differential privacy, Tokenization, Homomorphic encryption, and Privacy-preserving computation are often discussed in the context of identifying individuals whose information may be in a database. Secure multi-party computation (also known as secure computation, multi-party computation (MPC), or privacy-preserving computation) is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private.
We will discuss how these emerging data privacy technologies can limit the privacy impact on individuals whose information is in a database. Let’s break down the differences and see where these techniques fit best in an organization’s security and privacy strategy and align with privacy law requirements.
You will learn
- The latest trends and strategies for securing sensitive data in cloud and the enterprise
- How to discover and capture your data inventory
- What’s needed to prevent a data breach by securing your critical data and protect your reputation
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
To ensure their compliance with the PCI Data Security Standard, many businesses have turned to SafeNet technology for a solution. To meet these demands, SafeNet offers a range
of products, proprietary and through partner alliance. SafeNet, a global leader in information security, provides the industry’s most comprehensive range of solutions to help companies achieve compliance with the PCI Data Security Standard. Through its own proven set of products, along with an extensive partner network, SafeNet can provide merchants with the assurance that sensitive and valuable cardholder information is protected from all types of threats, and that regulatory compliance is not only being met, but
exceeded.
Data centric security key to digital business success - ulf mattsson - bright...Ulf Mattsson
With the exponential growth of data generation and collection stemming from new business models fueled by Big Data, cloud computing and the Internet of Things, we are potentially creating a cybercriminal's paradise where there are more opportunities than ever for that data to end up in the wrong hands. The biggest challenge in this interconnected world is merging data security with data value and productivity. If we are to realize the benefits promised by these new ways of doing business, we urgently need a data-centric strategy to protect the sensitive data flowing through these digital business systems. In this webinar, Ulf Mattsson explores these issues and provides solutions to bring together data insight and security to safely unlock the power of digital business.
As the need for data storage continues to grow, businesses of
every size struggle with the costs and complexity of maintaining their stored and rapidly growing data, especially in databases. Whether you're managing data locally, remotely, or in the cloud, securing that data has never been more important. Learn how to effectively secure your MS SQL databases.
Titles with Abstracts_2023-2024_Cloud Computing.pdfinfo751436
Engaging in cloud computing domain projects can provide numerous advantages, as cloud technology continues to transform the way businesses operate and deliver services. Here are some key advantages of working on cloud computing projects:
Scalability: Cloud computing allows for easy scalability, enabling organizations to scale their resources up or down based on demand. This ensures that they only pay for the resources they actually use, optimizing costs.
Cost Efficiency: Cloud computing eliminates the need for upfront infrastructure investment and the maintenance of physical servers. This can lead to significant cost savings, especially for smaller businesses or startups with limited capital.
Flexibility and Agility: Cloud services provide flexibility in terms of deployment options, programming languages, and frameworks. This agility allows developers to experiment with new ideas and bring products to market more quickly.
Global Reach: Cloud services are typically offered through a network of data centers located around the world. This enables organizations to provide services globally with low latency and high availability.
Resource Optimization: Cloud platforms offer tools for optimizing resource usage, such as automatic scaling, load balancing, and serverless computing. This ensures that resources are allocated efficiently, improving overall performance.
Security and Compliance: Leading cloud service providers invest heavily in security measures, including data encryption, identity and access management, and regular security audits. Leveraging cloud services can enhance the overall security posture of an organization.
Collaboration and Remote Work: Cloud computing facilitates collaboration among team members, allowing them to access and work on shared resources from anywhere with an internet connection. This is particularly valuable for remote or distributed teams.
Disaster Recovery and Business Continuity: Cloud services provide robust disaster recovery options, including backup and data replication. This ensures that organizations can quickly recover from data loss or system failures, contributing to business continuity.
Automatic Updates and Maintenance: Cloud service providers handle infrastructure maintenance, updates, and patching. This frees up IT teams from routine tasks, allowing them to focus on strategic initiatives and innovation.
Innovation Acceleration: Cloud computing provides access to a wide range of cutting-edge technologies, such as artificial intelligence, machine learning, and Internet of Things (IoT). Organizations can leverage these technologies to drive innovation in their products and services.
Elasticity: Cloud services offer elasticity, allowing organizations to dynamically adjust their computing resources to match changing workloads. This ensures optimal performance during peak demand periods.
Organizational compliance and security in Microsoft SQL 2012-2016George Walters
Organizational compliance and security in Microsoft SQL 2012-2016. This covers encryption at rest and in transit, securing data, application design considerations, Audit, and T-SQL to help you get compliant.
TECHNICAL WHITE PAPER▶NetBackup 5330 Resiliency/High Availability AttributesSymantec
NetBackup Appliances Family
The NetBackup Appliance family offers complementary solutions to meet the data protection needs of modern enterprises, and includes solutions such as the NetBackup 5230 and NetBackup 5330 Appliances.
NetBackup 5230 Appliance
The NetBackup 5230 Backup Appliance includes master and media capabilities, alongside storage and deduplication features that will meet the needs of small, mid size, and even some large enterprises.
NetBackup 5330 Appliance
The NetBackup 5330 appliance offers media server capabilities, and is designed to meet the needs of large enterprise customers with demanding performance and scalability requirements across virtual and physical infrastructures.
The NetBackup 5330 Appliance is designed to supplement the NetBackup Appliance family by offering key enterprise customers a large-scale and performant offering. This includes sustainable performance over time and scale, predictable job success rates under heavy loads, and powerful deduplication capabilities.
Data protection architectures are, by necessity, complex in nature as they involve so many complex factors. There cannot be a “one size fits all” approach to data protection because the operational requirements of each organization dictate how data is used, and the local risk assessment process dictates to some extent how it will be protected.
Database security technique with database cacheIJARIIT
Today people are depending more on the corporate data for decision making, management of customer service and
supply chain management etc. Any loss, corrupted data or unavailability of data may seriously affect its performance. The
database security should provide protected access to the contents of a database and should preserve the integrity, availability,
consistency, and quality of the data in this paper, we analyze and compare five traditional architectures for database encryption.
We show that existing architectures may provide a high level of security, but have a significant impact on performance and
impose major changes to the application layer, or may be transparent to the application layer and provide high performance, but
have several fundamental security weaknesses. We suggest a sixth novel architecture that was not considered before. The new
architecture is based on placing the encryption module inside the database management software (DBMS), just above the
database cache, and using a dedicated technique to encrypt each database value together with its coordinates.
What are some items every CIO should review when making the decision on whether or not to cloud? This infographic covers the most important aspects. More here: http://bit.ly/1vpGeKL
Here are the slides for Greenplum Chat #8. You can view the replay here: https://www.youtube.com/watch?v=FKFiyJDgdQk
The increased frequency and sophistication of high-profile data breaches and malicious hacking is putting organizations at continued risk of data theft and significant business disruption. Complicating this scenario is the unbounded growth of Big Data and petabyte-scale data storage, new open source database and distribution schemes, and the continued adoption of cloud services by enterprises.
Pivotal Greenplum customers often look for additional encryption of data-at-rest and data-in-motion. The massively parallel processing (MPP) architecture of Pivotal Greenplum provides an architecture that is unlike traditional OLAP on RDBMS for data warehousing, and encryption capabilities must address the scale-out architecture.
The Zettaset Big Data Encryption Suite has been designed for optimal performance and scalability in distributed Big Data systems like Greenplum Database and Apache HAWQ.
Here is a replay of our recent Greenplum Chat with Zettaset:
00:59 What is Greenplum’s approach for encryption and why Zettaset?
02:17 Results of field testing Zettaset with Greenplum
03:50 Introduction to Zettaset, the security company
05:36 Overview of Zettaset and their solutions
14:51 Different layers for encrypting data at rest
16:50 Encryption key management for big data
20:51 Zettaset BD Encrypt for data at rest and data in motion
22:19 How to mitigate encryption overhead with an MPP scale-out system
24:12 How to deploy BD Encrypt
25:50 Deep dive on data at rest encryption
30:44 Deep dive on data in motion encryption
36:72 Q: How does Zettaset deal with encrypting Greenplums multiple interfaces?
38:08 Q: Can I encrypt data for a particular column?
40:26 How Zettaset fits into a security strategy
41:21 Q: What is the performance impact on queries by encrypting the entire database?
43:28 How Zettaset helps Greenplum meet IT compliance requirements
45:12 Q: How authentication for keys is obtained
48:50 Q: How can Greenplum users try out Zettaset?
50:53 Q: What is a ‘Zettaset Security Coach’?
Similar to SafeNet DataSecure vs. Native SQL Server Encryption (20)
An important part of eIDAS is to regulate electronic signature and ensure safe transactions online. By providing qualified electronic signature, Trust Service Providers allow both signatory and recipient a higher level of convenience and security. Use this guide to understand and navigate the regulation goals and benefits.
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
Forget the geeky analysis of cloud security; risk is driven by people involved and the approach to adoption. In this RSA Conference 2015 presentation, David Etue, VP of Corporate Strategy, Gemalto, reviews the complex issues around data ownership and control in the cloud. When so many people have access to your data, how do you keep it safe? Unshare it!
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlSafeNet
Far too many organizations are slow to change how they assess and manage security in the cloud. They instead try to apply legacy controls that worked for traditional IT environments to the cloud, thus creating new opportunities for security failures.
In this slide deck -- originally presented at RSA Conference 2014 -- David Etue, VP of Corporate Development Strategy at SafeNet, Inc., covers the cultural changes that organizations should adopt in order to address the complex issues surrounding data access in the cloud.
More information about our approach to cloud security can be found at http://www.safenet-inc.com/cloud/.
Cyber Security Management in a Highly Innovative WorldSafeNet
Cyber attacks are reaching pandemic levels. State-sponsored groups and organized crime are successfully stealing valuable intellectual property—including critical infrastructure and operational readiness information, businesses’ and consumers’ financial data—often without anyone realizing the attack has occurred!
But preparedness cannot be delegated solely to the IT department. The involvement of the entire enterprise, armed with an understanding of the highly dynamic landscape, is vital for warding off potential threats.
Author: David Etue, VP of CorpDev Strategy, SafeNet
Watch the webcast on demand: https://www.brighttalk.com/webcast/6319/75109
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilitySafeNet
By Joshua Corman, Dir. Security Intelligence, Akamai Technologies (@joshcorman) & David Etue, VP of CorpDev Strategy, SafeNet Inc. (@djetue)
Cloud, virtualization, mobility, and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.
Watch the full webcast: https://www.brighttalk.com/webcast/2037/72187
What is ProtectV and how can it help your organization? Here's a concise overview of SafeNet's cloud encryption solution for Amazon Web Services or VMware, as presented at VMworld.
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelSafeNet
5 steps to optimize your SaaS business model. Originally presented by VP Business Development Shlomo Weiss at the SIIA All About the Cloud conference in May 2012.
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeNet
SafeNet simplifies competitive migrations with bundled migration packages that enable organizations of any size to seamlessly transition to SafeNet’s Fully Trusted Authentication Environment. With this type of environment, customers retain control over data and policies,
improve management and visibility, manage risk through a variety of authenticator options, and can supplement their installation with additional layers of protection to further secure sensitive data.
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsSafeNet
Strong authentication and single sign-on for SaaS applications is available with SafeNet
Authentication Manager and SafeWord 2008.
With either platform, the enterprise security team retains complete control over the
configuration, deployment, and administration of the authentication infrastructure, which
remains in the enterprise’s IT domain.
Organizations can deploy either platform in their network’s DMZ, so users can authenticate
directly to cloud-based applications and services, rather than having to go through the corporate VPN. As a result, users have a faster, more seamless experience accessing on-premise and
cloud-based applications, while enterprises enjoy optimized security.
Securing Digital Identities and Transactions in the Cloud Security GuideSafeNet
Instead of spending thousands of dollars, and weeks, to install, customize, and integrate
business transaction applications in-house on local servers and workstations, running these
transactions ‘in the cloud,’ or on virtualized platforms, offers an attractive, simple, and costeffective
option.
In order to foster a level of trust matching that of existing internal enterprise resources, and
to sustain compliance with internal policy and external regulations, it is essential that cloud
platforms adopt a cryptographic deployment model. Through this adoption, organizations can
ensure ownership and confi dentiality of the cloud, integrity of business processes, transactional
non-repudiation, and streamlined compliance with heightened security standards—without
negatively impacting performance and reliability of cloud resources.
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...SafeNet
Traditionally, a local connection, such as SCSI or PCI bus, has been used to connect an HSM to
its host server. While these local connections provide good bandwidth and an added degree of
physical security, they cannot offer the fl exible, shareable features of a network connection. The
Luna SA was designed from the ground up to provide customers with a more powerful, fl exible
HSM product. One of the cornerstones of this fl exibility is the fact that the Luna SA is a network
attached device, a feature that permits the Luna SA’s high-performance HSM capabilities to be
easily deployed and shared between multiple network clients.
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...SafeNet
To aid a successful and secure Public Key Infrastructure (PKI) implementation, this article
examines the essential concepts, technology, components, and operations associated with
deploying a Microsoft PKI with root key protection performed by a SafeNet Luna Hardware
Security Module (HSM).
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...SafeNet
Cloud computing services can support nearly every mission the federal government performs –
from defending our nation’s borders to protecting the environment. Offering an elastic, adaptive
infrastructure, cloud computing enables federal agencies and their component organizations
to share information and create services, improving how agencies support the federal mission
and serve the American public. Just as the benefits are obvious, however, so too are the security
concerns. When consolidating their infrastructures with cloud service providers, how do federal
agencies ensure that sensitive data remains secure? How do they remain in control of their
information assets and compliant with U.S. Office of Management and Budget (OMB) and
agency-specific mandates and policies? Of equal importance is how the security concerns differ
within the federal community. This white paper outlines the role of trust in different federal
government communities, the path federal agencies can take to start building trust into cloud
deployments, and the approaches and capabilities that these organizations need to make this
transition a reality.
Hardware Security Modules: Critical to Information Risk ManagementSafeNet
The volume of information is mushrooming and being transformed from paper to digital form
at an alarming rate with no end in sight. Individually, we all experience the steady growth in storage capacity and our use of that capacity in the devices we touch daily – our laptops, desktops, and smart phones. On the commercial side, a conversation with the IT data center personnel quickly reveals that adding storage capacity is a perennial budget item. What should also be recognized is that the value of digitized information is not solely determined by the fact that it exists and its increasing volume, but its use. Business and
governmental entities know from experience that the fl uidity of digitized information is critical
in the advancement of their business operations and citizen-serving endeavors. The escalating growth in the creation, storage, and use of digitized information also creates a growing exposure of information being lost, stolen, misused, and contaminated. The rise in regulations and laws designed to protect the rights of individuals is tangible evidence that this exposure is real. The rise in incidences of information breaches represents another piece of evidence of this growing exposure.
Strong Authentication: Securing Identities and Enabling BusinessSafeNet
In today’s environment, the need for organizations to enable secure remote access to corporate networks, enhance their online services, and open new opportunities for e-commerce is bringing ever-growing attention to the importance of securing user access and validating identities. In addition, the recent barrage of identity theft and corporate fraud cases has brought corporate responsibility and the protection of sensitive data to the spotlight. Consumer demands and compliance pressures bring organizations and institutions to search for new ways to strengthen their internal controls, authentication methods, and identity management practices. The message is clear – action is needed to stay ahead in the fast changing, security-conscious market.
Building Trust into eInvoicing: Key Requirements and StrategiesSafeNet
For years, the digitalization of assets has been underway, completely transforming entire
industries, from healthcare to music. In the same way, the move to digitalization has also
brought fundamental change to the way businesses manage invoices. By moving to electronic
invoicing, known as eInvoicing, organizations in a host of industries can realize a range of
benefi ts • Reduced costs. By eliminating the purchase of paper for invoice printing, reducing the
time and expense of physical invoice handling, reducing the space and expense of paperbased
fi le storage, and eliminating postage, organizations can realize direct, upfront cost
savings.
A Question of Trust: How Service Providers Can Attract More Customers by Deli...SafeNet
Offering an outsourced, elastic, pay-as-you-go computing infrastructure, cloud computing services can deliver clear cut benefi ts to a host of companies. Today, however, security concerns are a big barrier to many clients’ adoption of cloud services. To boost market share and gain competitive distinction, cloud service providers need to add the security infrastructure that safeguards clients’ sensitive data and fosters trust. This white paper outlines the path cloud providers can take to start building trust into cloud deployments, and details the approaches and capabilities organizations need to make this transition a reality.
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...SafeNet
In the wake of acts of terrorism occurring worldwide, it has become imperative for countries to increase the level of security at their borders. To assist in
their efforts for stronger border security, countries around the globe are implementing an e-passport program.
DNSSEC represents a vital means with which to address many security threats, including cache poisoning, man-in-themiddle attacks, and more. But the DNSSEC infrastructure is only as secure as the cryptographic keys used to protect DNS records. This paper reveals important strategies for maximizing DNSSEC security, outlining the key role HSMs play and the critical requirements for successful HSM implementations.
Charting Your Path to Enterprise Key ManagementSafeNet
The increasingly prevalent use of data protection mechanisms in today’s enterprises
has posed significant implications. One of the most profound challenges relates to key
management, and its associated complexity and cost. Written for business leadership and
security architects, this paper looks at the past, present, and future of key management,
revealing how emerging trends and approaches will ultimately enable enterprises to optimize
both efficiency and security in the management of key materials.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
JMeter webinar - integration with InfluxDB and Grafana
SafeNet DataSecure vs. Native SQL Server Encryption
1. SafeNet DataSecure vs.
Native SQL Server Encryption
WHITE PAPER
Contents
Executive Summary...................................................................................................2
Solutions Overview................................................................................................... 2
SQL Server Encryption.............................................................................................. 2
Security and Compliance.......................................................................................... 4
Security of Keys.................................................................................................. 4
Security of Data.................................................................................................. 6
Separation of Duties........................................................................................... 6
Access Control and Leakage Prevention.............................................................. 7
Central Policy Control......................................................................................... 8
Infrastructure Coverage...................................................................................... 8
Integration and Administration................................................................................. 9
Total Cost of Ownership...................................................................................... 10
Set up and Integration......................................................................................... 10
Persistence Support for Cross Platform Applications.......................................... 11
Key Management and Rotation............................................................................12
Logging and Auditing........................................................................................... 13
Performance and Availability.....................................................................................14
Performance....................................................................................................... 14
Availability and Recovery..................................................................................... 14
Conclusion................................................................................................................ 15
About SafeNet.......................................................................................................... 15
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 1
2. Executive Summary
Given the vital records databases hold, these systems often represent one of the most
critical areas of exposure for an organization. Consequently, as organizations look to comply
with security best practices and regulatory mandates, database encryption is becoming
increasingly common—and critical. Today, security teams looking to employ database
encryption can choose from several alternatives. This paper provides a high level comparison
of two approaches: Microsoft’s native encryption capabilities for SQL Server and the SafeNet
DataSecure platform.
Solutions Overview
SafeNet DataSecure
SafeNet DataSecure is the only appliance-based data protection solution that features
granular, field-level encryption capabilities that can be integrated at the file, Web server,
application server, or database layer. By centralizing cryptographic processing, key and policy
management, logging, and auditing in a single, hardened appliance, DataSecure maximizes
overall security and helps ensure organizations are compliant with a range of security best
practices and regulations.
DataSecure features a centralized architecture that streamlines security administration and
provides superior key and policy life cycle management. Plus, DataSecure can act as an external
key management device for third-party encryption offerings. Consequently, organizations
employing SQL Server’s encryption capabilities can store the cryptographic keys associated with
that product, as well as keys for other encryption products, on the DataSecure appliance.
SQL Server Encryption
Microsoft offers several encryption options for SQL Server:
Windows BitLocker
BitLocker is an encryption solution that provides disk level, sector-based, and bulk encryption
of an entire drive or volume. BitLocker provides protection against data access when a machine
is turned off, but does not provide any protection once the operating system is started.
Information is stored on the disk in encrypted format at all times, which means performance is
slowed by approximately 5-10%, even when the client or server is turned on. However, any data
requested from the disk is immediately returned in a decrypted format, therefore, during day-
to-day operations of database servers, BitLocker introduces significant performance latency
without providing any granular data access protection. BitLocker is better suited for non-read/
write intensive usage, such as encryption of file servers or Windows clients, or for protection of
hard drives while in transit between sites.
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 2
3. Encrypting File System
Encrypting File System (EFS) is a file encryption feature introduced in Windows 2000,
with additional features and enhancements released in subsequent years. EFS makes
it possible for users to encrypt files on their computers, and control who can decrypt or
recover these files. EFS uses symmetric keys to encrypt files, and it uses certificates
associated with a specific user account to protect the file keys. For EFS to be used safely,
an organization must have already deployed a secured public key infrastructure (PKI) with
hierarchical certificate authorities (CA), and have the processes and mechanisms in place
to securely manage certificates and keys.
While EFS is a very robust solution for encrypting files in Windows environments,
it is usually not recommended for database file encryption. EFS does not support
column-level encryption, which means the entire database file must be encrypted and
decrypted while in use. As a result, EFS typically introduces performance degradation
of approximately 20 percent, which is especially problematic for large database files.
In addition, any user connecting to the database server can access any data in an EFS
encrypted database file, regardless of the EFS encryption status. When EFS is used for
database file encryption, the EFS encryption keys often reside in the operating system
hosting the database server, where they are vulnerable. Additionally, this requires
a smartcard or HSM to be connected to each database server, which necessitates
additional purchases and administrative complexity.
Field-level Encryption
SQL Server field-level encryption was introduced in SQL Server 2005 and is also
supported unchanged in SQL Server 2008. Field-level encryption supports granular
encryption of parts of a database or table by modifying the database schema and moving
the data that is to be protected into a binary data type. A set of schema modifications
allow the data to be read and updated in an encrypted format after the changes are
implemented.
Because of the significant performance and manageability impacts of setting up field-
level encryption, Microsoft has shifted its main focus in SQL Server 2008 towards
transparent database encryption. Microsoft still recommends the use of field-level
encryption in SQL 2008 for scenarios in which organizations demand a high degree of
data security and access control or granular data access auditing capabilities. Microsoft
cautions customers about the performance impacts of field-level encryption because
each field needs to be encrypted and decrypted separately on the database server CPU,
which degrades performance by 20-40 percent.
Transparent Database Encryption
Transparent Database Encryption (TDE) is a new capability introduced in SQL Server
2008, and is only available as part of the Enterprise and Developer Editions. TDE uses
a hierarchical key management approach that is almost identical to the one employed
by Microsoft’s field-level encryption approach. TDE provides bulk encryption of all the
data in a given database. TDE does not enable column or field level encryption at this
time. Rather than offering a specifically targeted key and data encryption management
console, TDE is tightly integrated with SQL Server and is managed using the same DBA
query interfaces and the Transact-SQL language as the database server.
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 3
4. Table 1: Data Protection Capabilities
SafeNet
BitLocker EFS Field-Level TDE
DataSecure
Data Encryption (3DES
& AES) ü ü ü ü ü
Encrypted Physical
Backup ü ü û ü ü
Column-level Access
Policies û û û ü ü
Time-based Access
Policies û û û û ü
Separation of Duties û û û û ü
Encrypted Logical Backup û û û û ü
Offloaded Encryption
(with the key outside of û û û û ü
memory)
Optional Optional
Secure Master Key
Storage û û (requires HSM (requires HSM ü
purchase) purchase)
FIPS Certified û û û û ü
Central Key Management û û û û ü
Protection for Data Load
(ETL) and Direct Database û ü û û ü
File Access
The table above compares the capabilities of native SQL Server encryption and those of DataSecure.
Security and Compliance
Optimizing security is the ultimate objective of employing database encryption. This
section compares the security offered by Microsoft’s encryption options and DataSecure,
comparing such critical areas as key security, and separation of duties.
Security of Keys
Native SQL Server Encryption
The single most critical aspect to ensuring that encryption yields the highest level
of security possible is the security of the cryptographic keys. Simply put, if keys are
compromised, encrypted data is compromised.
A key architectural foundation of Microsoft’s encryption solutions is that cryptographic
keys reside on the same database server as the encrypted data. For large organizations
with dozens or even hundreds of databases, this means cryptographic keys reside on
dozens or hundreds of servers. This presents security exposures for a few reasons:
• Security best practices dictate that keys and the data they protect are separated.
The reason? If a server falls into the wrong hands, whether through theft, lost in
shipment for repairs, or a host of other reasons, thieves gain access to both the keys
and the data.
• While Microsoft TDE offers a hierarchical key model, the root key is generated and
protected by the underlying operating system, which is at odds with standards such
as the Payment Card Industry Data Security Standard (PCI-DSS), which requires
separation between data access controls and operating system security.
• If you look at security as a battle, the more fronts you do battle on, the harder
defense is. Protecting keys on many databases represents just such a challenge. It is
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 4
5. more difficult to have visibility into whether keys have been compromised; security
mechanisms need to be employed on each platform, etc.
• Database servers are architected to optimize data access, not security. They
have multiple, unsecured access points and they’re often not stored in physically
secured locations due to operational needs. Database server backups pose similar
risks and further compound the number of places keys may reside, and where the
security battles take place.
• All keys are stored in software and are, therefore, susceptible to vulnerabilities
in the underlying software, and so organizations cannot be compliant with the
stringent requirements of such standards as Federal Information Processing
Standards (FIPS).
• When keys are stored in the database server and the underlying operating system,
any vulnerability in either Windows server or SQL Server 2008 poses an immediate
risk to data security and requires immediate patching—which can make an impact
on business processing and data availability.
To address this security exposure, Microsoft developed a capability known as
Extensible Key Management (EKM), which enables administrators to store root
encryption keys, such as the server master key (SMK), in third-party hardware
security modules (HSMs) that are designed specifically for this purpose. Given this,
administrators may use key management from SafeNet. While this offers significant
safeguards, there are several factors to consider:
• Using EKM for HSM-based key protection is an option, not a requirement. By
default, encryption keys are stored locally on the database server. Implementing
EKM introduces additional complexity for database administrators (DBAs), who
are, typically, already consumed with database-related tasks. Further, these
efforts require subject matter expertise around HSMs and key management, which
is not commonly a part of a DBA’s background.
• Although EKM supports HSM-based storage of keys, policies for key access are
still controlled on SQL Server, most often by DBAs, so there is no real separation
of roles among an organization’s DBAs, developers, and the security organization.
This jeopardizes compliance with such standards as PCI-DSS, and makes the
DBA the responsible party in the event of a data leak or compliance violation, a
responsibility usually better handled by a security or compliance team.
• The EKM approach introduces increased complexity and the additional cost of
acquiring, integrating, and managing the HSM, which is multiplied by the number
of HSMs required to support each and every database server separately.
DataSecure
With DataSecure, organizations can centrally house the cryptographic keys used to
encrypt data in virtually any number of databases. Simply by reducing the number
of places they reside, DataSecure dramatically reduces the potential exposure of
cryptographic keys. Further, DataSecure offers the highest level of security available
in a commercial database encryption solution. DataSecure operates on a hardened
appliance that is validated to FIPS and Common Criteria Evaluation.
Encryption keys are securely stored on the appliance and thereby protected against
application layer attacks and malicious DBAs and developers. The keys are never
distributed to database servers from the appliance nor can they be viewed or copied
by anyone.
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 5
6. Security of Data
Native SQL Server Encryption
SQL Server TDE encrypts information when it is read to or written from the SQL Server
buffer pool. Consequently, information stored in the SQL Server memory cache is
available in clear text even if encrypted in the database, and therefore might be exposed
through the Windows swap file, SQL Server’s full text indexing, or in the event of a SQL
Server memory dump.
DataSecure
DataSecure integrates cipher operations into the SQL statements themselves. As a
result, encrypted information is only decrypted when an actual select statement is
executed, and is immediately encrypted when an insert or update is called. Further, even
when mechanisms, such as a SQL Server checksums, buffer an actual write to disk, data
remains encrypted. This ensures that sensitive information is protected regardless of the
access mechanisms being employed.
Separation of Duties
Native SQL Server Encryption
Many breaches in recent years have illustrated the risk of having one person holding all
the “keys to the kingdom.” That is why so many regulations and security policies mandate
a separation of duties when it comes to securing sensitive data.
When native encryption is employed on SQL Server, the DBA effectively also becomes the
security administrator. It falls to the DBA to install and maintain the encryption solution.
Not only do they handle traditional tasks, but they also must be relied upon to do key
management, set security policies, and control user access. Consequently, a single
person controls the data, which can present a significant source of exposure. Further,
DBAs are not typically trained to do security administration, which raises the potential
for configuration errors. Finally, if one DBA decides to undertake malicious activities, the
harm they could inflict could be devastating.
TDE allows a DBA to grant the right to manage and create keys to specific users,
therefore separating the key management capabilities. However, the database system
administrator still has full rights to all aspects of the security of the database server,
including keys. This may present a challenge when addressing some compliance
requirements, especially given some that commercial applications require the use of
system administrator privileges to execute correctly.
DataSecure
The DataSecure solution provides a mechanism for clearly separating security
responsibilities from database responsibilities as required by such regulations as PCI-
DSS. Separation of duties between the DBA and the other administrators prevents “super
user” access and its associated risks.
DataSecure offers granular capabilities for defining roles and permissions around the
ability to manage keys, create keys, and modify policies. DataSecure also allows for “M
of N” approvals, which means that organizations can set up policies so that no single
administrator can make a critical configuration change without additional approvals from
other administrators.
With DataSecure, administrative privileges can be separated among a number of
roles. For example, a security administrator can be authorized to perform specific key
management, user access, and security policy functions; a network administrator could
have control over device configuration and certificates; an operations administrator
could have logging controls; and the DBA could have rights to perform database software
installation and configure the tables and columns to be encrypted.
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 6
7. Access Control and Leakage Prevention
Native SQL Server Encryption
Over the last few years, Microsoft has invested heavily in elevating the level of security
offered within its different product lines. As part of those investments, several impressive
encryption technologies have been introduced as part of both Windows servers and
clients, as well as SQL Server. These technologies are very useful, and should be utilized
by customers where appropriate.
While Microsoft BitLocker, EFS, and TDE provides a variety of encryption mechanisms,
they don’t provide protection over who can access the sensitive information, when they
can access it, or how much data can be accessed. In fact, these mechanisms are “blind”
to the actual information, allowing anyone with access rights to decrypt any information
and use the data encryption keys (DEK) regardless of the context.
This creates a serious threat to sensitive information, opens the door to leaks and
liability, and poses a serious threat to compliance, as standards, such as PCI-DSS and
GLBA, require control and management over data access rights. For example, when
TDE is employed, applications typically use a trusted subsystem account to access the
database. There is no way to distinguish such factors as the time of day data is being
accessed, the server accessing the database (for example, why would a server in the DMZ
need to decrypt a large number of records?), or the actual application or database user
conducting the operation.
The following is a quote from Microsoft: “TDE is not a form of access control. All users
who have permission to access the database are still allowed access; they do not need to
be given permission to use the DEK or a password.”1
Further, when TDE is employed, data is encrypted at the database level, rather than at the
column level. As a result, anyone permitted to access the database can see all the data in
the clear. Consequently, organizations looking to employ encryption are faced with an all-
or-nothing approach—even though the sensitive data held in many databases will only
amount to one or a few columns out of many.
When field-level encryption is employed, keys can be either assigned to a database, in
which case the keys are stored on the database server and experience the same issue
outlined for TDE, or alternately be assigned to users and protected by passwords to
prevent automatic decryption, so, for example, users can have individual keys for their
own data. Assigning keys to individual users addresses the issue of having a “master
key” managed by the DBA, but, at the same time, introduces a significant key exposure
and management challenge since keys are stored on each workstation on which the user
needs to be able to decrypt the database information.
When EFS is employed, access control can only be applied to the file system files holding
the different database contents, such as database files, transaction log files, and full-
text index files. While EFS protects those files from offline attacks, such as someone
attempting to copy the database file itself, this only offers limited protection—database
files are usually protected when the operating system is shutdown by means such as
full disk encryption, and are locked and will prevent copying once the database server is
running. Further, since the only “user” accessing the database files is the account under
which SQL Server is running, access control applies to this user only. As a result, the EFS
encryption keys must be available locally on every server used to run SQL Server.
EFS does not provide any access control or protection over the actual data records inside
the database, nor can it protect data load and transform (ETL) files, since EFS does not
provide any centralized policy over the location of files that should be encrypted. Also,
system administrators must use the server console to manually encrypt files.
1 Microsoft, “Database Encryption in SQL Server 2008 Enterprise Edition”; Section: “Impact on the
Database”—http://msdn.microsoft.com/en-us/library/cc278098.aspx#_Toc189384679
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 7
8. DataSecure
DataSecure offers authorization functionality that is highly granular so that access to
encrypted columns can be controlled by assigning encrypt and decrypt privileges on
a per user basis. Plus, these access control features allow a security administrator or
compliance officer to secure access to sensitive data at the user level. Often, these
changes can be implemented with little or no changes to the database architecture.
While, in some cases, additional columns may be added to such database elements
as tables to support transparent data encryption, those changes have no affect on the
original database fields in the schema, which helps ensure full application compatibility.
With DataSecure, a database user that has access to a table with encrypted columns may
be allowed to see all, none, or some of the encrypted data based on the way permissions
are configured. DataSecure separates the database access control managed by the DBA
and the application from the rights to use encryption keys and from the right to access
protected sensitive database information. DataSecure provides granular control over
data access based on the following parameters:
• Time of day— Enables administrators to dictate when specific users and roles can
access sensitive data; for example, to ensure a call center employee that works the
day shift can’t access credit card information at 2:00 AM.
• Amount of information being accessed—Organizations can control the volume of
decryptions; for example a call center representative that might need to handle
at most 100 customer records per shift will not be able to decrypt more than 100
records during a given day.
• Policies and keys—Enables the segmentation of policies associated with the data
and the key used to encrypt it; for example, a call center employee might be able
to decrypt customer records in their line of business’ database but not in the VIP
customer table encrypted with a different key.
Central Policy Control
Native SQL Server Encryption
Another key challenge when utilizing Microsoft’s integrated encryption offerings is the
lack of a central policy management console that can be used to control encryption
and policy changes. As a result, it is difficult to maintain consistent documentation
of the encryption and access controls employed during a given time frame. With EFS
and BitLocker, access control is managed locally on both the database server and the
operating system and must be set separately for every piece of protected information,
which presents a host of security management and compliance challenges.
DataSecure
DataSecure provides a central, Web-based management console, that centralizes all
access control management in a single location. As a result, administrators have efficient
access to a data protection policy repository that displays all access policies—across
different databases, applications, and file systems. Further, DataSecure supports
streamlined security configuration documentation, which is a requirement for security
life cycle management and compliance with such regulations as SOX and PCI.
Infrastructure Coverage
Native SQL Server Encryption
It is important to note that while Microsoft does provides data encryption solutions for
SQL Server and file data, those solutions only address SQL Server on Windows operating
systems. Further, TDE can only be employed on SQL Server 2008, not earlier versions of
the database.
The reality, however, is that sensitive data is housed and accessed in a host of other
areas throughout an organization—unstructured files, such as PDFs and spreadsheets,
applications;, Web servers, and more. Further, most organizations have a mix of operating
systems and databases installed, whether IBM DB2, Microsoft SQL Server, Oracle, or
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 8
9. Teradata—and over the course of its lifecycle, a specific piece of data may reside on a
number of platforms. For example, a customer record might be created in a mainframe
application using DB2, copied to SQL Server on Windows, loaded into an ERP application
using Oracle on Linux, and finally forwarded to a data warehouse housed in Teradata that
is used for business intelligence reporting. Consequently, native SQL Server encryption
doesn’t address the full life cycle of corporate data, and so only addresses a very small
piece of an organization’s overall security needs.
As a result, many companies utilizing a variety of databases in their corporate networks
end up deploying and supporting security solutions on a database-by-database basis.
Particularly in large organizations, these point solutions prove costly and inefficient, and
introduce their own set of security problems. For example, since there is no key sharing
between these disparate offerings data has to be decrypted and forwarded in the clear
before it can be encrypted on another system.
DataSecure
DataSecure can be used to centrally manage the encryption of sensitive data in all of an
institution’s databases, including Oracle, IBM DB2, SQL Server, and Teradata.
DataSecure also provides the flexibility to encrypt data at the file level, at the column
or field level in databases, at the application layer, and during batch-driven data
transformation and transaction processes. DataSecure offers comprehensive support for
sensitive database information protection, regardless of the underlying operating system,
featuring support for Z/OS, Linux, Windows, and other platforms.
DataSecure provides the ability to encrypt information from the moment it enters the
enterprise and as it travels within the environment. With DataSecure, organizations can
encrypt sensitive data once, and have it be secured throughout its lifecycle, while at the
same time enabling authorized users and processes to decrypt the record when needed.
This increases overall security by eliminating points of vulnerability outside the database.
Table 2: Database Information Protection Components
SafeNet
BitLocker EFS Field-Level TDE
DataSecure
Extensible Key
Management û û û ü ü
Infrastructure1
Application-level
Encryption û ü û ü ü
File Encryption (outside
of SQL Server) û ü û û ü
z/OS Integration û û û û ü
Integration with POS
Vendors û û û û ü
Oracle & DB2 Support û û û û ü
Support for RC4, HMAC-
SHA1, and RSA û û û û ü
The table above outlines the support DataSecure and Native SQL Server encryption options provide for
various security capabilities that are required beyond database encryption.
Integration and Administration
The degree to which an encryption solution facilitates deployment and ongoing
administration efforts can play a significant role in the success of an encryption initiative.
Following are details of the differing integration and administration characteristics of
each encryption approach.
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 9
10. Total Cost of Ownership
Native SQL Server Encryption
While Microsoft offers both file and database level record encryption, this support is only
available on SQL Server 2008, Enterprise Edition. As a result, implementing TDE requires
that all servers within the compliance area must be upgraded to SQL Server 2008, a large
and time-consuming task that can create application compatibility issues.
Further, the TDE solution is only applicable to SQL Server 2008 databases, so
organizations with other databases or operating systems are tasked with learning,
implementing, and managing separate solutions for each of those platforms.
To guarantee free software updates for the database platforms, customers are required
to sign a 3-year maintenance plan with Microsoft, which tends to cost around 120 percent
of the initial purchase cost. The Microsoft maintenance plan does not include support
fees, which are charged separately and range from tens to hundreds of thousands of
dollars depending on the support needs. Any upgrade or fix to the encryption and key
management solution requires a patch of the database platform and/or the operating
system, a process involving compatibility testing and potential up-time implications.
DataSecure
DataSecure is a single, easy-to-manage solution that offers database encryption for all
major versions of Microsoft SQL Server, as well as other leading database platforms, such
as Oracle, DB2, and Teradata. DataSecure eliminates the need for expensive and lengthy
application and database migration and testing projects. Further, by having a single,
easy management interface for all database platforms and the related policies and keys,
DataSecure significantly lowers operational costs.
While the DataSecure appliance does require an initial purchase cost, this investment
can be fully leveraged as the appliance re-used across database platforms. The
DataSecure maintenance plan includes full support and software updates for all aspects
of the DataSecure solution for a relatively low yearly cost, and a seamless upgrade
experience that removes any operational and testing costs.
Set up and Integration
Native SQL Server Encryption
In all but the smallest organizations, deploying native SQL Server encryption is highly
complex and time-consuming. All administrative efforts are manual and conducted on
a per-database basis, so the more databases an organization has, the more work, and
potential errors, will be involved.
In a common TDE deployment, in which the goal is to secure data and achieve regulatory
compliance, organizations must address several time consuming and complex
requirements:
• The need to have a PKI infrastructure available to provide for recoverable server and
database keys
• The purchase, deployment, and secure operation of a FIPS Level 2-certified HSM for
each database server, in order to adhere to security best practices and regulatory
compliance
• Manual review, outline, and implementation of data and key access policies
• Separate deployment of file encryption
• Development of scripts and command line tools to encrypt data during ETL
processes and in transit
• Upgrade existing databases to SQL Server 2008 Enterprise Edition and associated
application compatibility testing
• Ongoing patching of both Windows and SQL Server to address any vulnerability that
might affect TDE
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 10
11. • Manual documentation of the key and data access rights as part of security life cycle
management and regulatory compliance
• Institution of security training for the DBA team and establishment of a data
exposure response team that is comprised of several groups, including security,
compliance, application development, and DBAs
DataSecure
By providing an out-of-the-box solution with centralized administration of cryptographic
policies and configuration, DataSecure dramatically reduces implementation time
and expenses compared to deploying native SQL Server encryption. DataSecure offers
centralized management for securing database and applications across hundreds, or
even thousands, of geographically-distributed locations. Users can centrally manage
every facet of security administration, including key management, maintenance and
troubleshooting, policy management, logging, reporting, and software upgrades.
With DataSecure, integration across various database platforms is automated and
transparent to applications. In addition, DataSecure features these tools
and capabilities:
• A data discovery tool that can scan databases for sensitive data—such as account
numbers, credit card numbers, social security numbers, and e-mail addresses—that
is not encrypted, helping database administrators and security directors quickly
identify where sensitive data exists. This saves administrators time and enables
them to better secure sensitive information
• White Paper: SafeNet DataSecure vs. Native SQL Server Encryption—Page 11 of 15
• Data migration capabilities that automatically configure the database and encrypt all
of the data in the columns that have been tagged for encryption
• Application transparency, through support for the creation of triggers and views that
hide encrypt and decrypt functions from associated applications
• Key rotation and versioning capabilities that enable administrators to rotate
encryption key(s) on a per column basis—without having to decrypt and re-encrypt
data.
Given DataSecure is provided as a turnkey, appliance-based solution, implementation
is typically fast and efficient. Following are the common steps to setting up database
encryption:
• Plugging in the DataSecure appliance and configuring network settings.
• Connecting the appliance to the database to be secured, and selecting the
appropriate columns or fields to be protected.
• Assigning keys, defining access policies, and migrating data to a protected state.
Persistence Support for Cross Platform Applications
Native SQL Server Encryption
While native SQL Server encryption protects information in the database, it does not
enable organizations to integrate cryptographic operations with associated applications.
However, in many cases, it is preferable to implement data encryption in the application
logic rather than in the database. Not only does this approach often eliminate the need
to make database configuration changes and address performance degradation, but it
can help ensure end-to-end encryption of data, from the time it is entered to the point at
which it is stored or viewed.
While Microsoft does provide encryption API’s, they are stand-alone and are not
integrated with underlying key management and data access policy management
processes. Thus, organizations that need to protect data across the entire processing
lifecycle must implement several disconnected integration and development projects to
employ application-level and database-level encryption.
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 11
12. DataSecure
The DataSecure solution was designed from the outset to support heterogeneous
environments and encryption at different levels within the infrastructure. With the
DataSecure platform, encryption keys used for one vendor’s database can be used for any
other database system or line of business application. DataSecure offers an extensive set
of application connectors that deliver FIPS-certified encryption to an organization’s line-
of-business applications.
With DataSecure, encryption keys and data access policies can be re-used across
different applications and database systems, providing true information life cycle
protection. With its support for J2EE, .Net, COBOL, C, and other languages, DataSecure
can be deployed in leading application development and run-time environments.
DataSecure supports seamless encryption of the data, from its submission in a Web or
line-of-business application, across enterprise connectivity and integration layers (such
as message bus and EAI), and in the database.
SafeNet
ProtectDB
Databases
SafeNet SafeNet
ProtectApp ProtectApp
SafeNet
DataSecure
Application and Mainframes
Web Servers
SafeNet
SafeNet ProtectFile
ProtectFile ProtectDrive
Secure Remote
Access to Network Applications
File servers PCs and mobile
handsets
Network
shares
UNSTRUCTURED DATA
Figure 1: DataSecure offers a centralized solution for managing keys across an enterprise infrastructure,
including Web and application servers, databases, file servers, and more.
Key Management and Rotation
Native SQL Server Encryption
With native SQL Server encryption, keys are created and managed on the database server,
and administrators are tied to using Microsoft’s proprietary techniques and interface
for performing these functions. When there are large numbers of database servers in
an organization, the process of managing keys on each individual database server can
quickly become cumbersome and subject to errors. This is especially true if granular,
field-level encryption policies are employed. Further, there is no automated process
to share or replicate keys among the database servers, even within a single vendor’s
platform. Backing up the keys, which is critical for any encryption implementation, is a
manual, command line process for each database on each individual server and grows
increasingly complex as the number and variety of database servers are deployed
throughout an organization.
Further, key rotation is required to increase the security of protected data, ensuring keys
and the data they protect do not get exposed over time. SQL Server 2008 supports key
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 12
13. rotation by generating a SQL script that generates a new key, backs up the existing and
new keys to a file, and re-encrypts the entire database with the new key. This operation
will switch the existing data to be encrypted using a new key, but while this operation
is underway, the database will be locked, preventing any use of the database for the
duration of the process. Further, a massive amount of processing overhead is incurred
because, rather than encrypting a specific column, the entire database needs to be
decrypted and re-encrypted.
Command line backup of keys to a file does provide for recoverability of data in case of a
disaster or database issues, but requires an organization to setup and maintain a manual,
unmanaged, and less secure key repository, perhaps by keeping all backed-up keys in a
central file server directory, exposing the keys to risk and accidental deletion or loss.
DataSecure
The SafeNet DataSecure solution streamlines key management, providing a centralized
network appliance to perform all key management functions—including creating keys,
controlling access to keys, and backing up keys. DataSecure supports granular, fully
automated key rotation, according to key expiration policies. Further, this rotation only
affects encrypted columns, minimizing the performance impact of encryption on the
database.
Logging and Auditing
Native SQL Server Encryption
Native SQL Server encryption only provides very basic logging information in
heterogeneous environments. This can be exacerbated by the fact that each database
vendor will have its own unique log format. Because of this, administration of logs and
report generation is extremely time consuming. Further, because of the way event data is
structured in Windows and SQL Server, it is very difficult to analyze log information and
spot potential threats in a timely manner. In addition, these logging mechanisms offer
little protection against tempering or unintentional modification.
DataSecure
DataSecure provides comprehensive, secure, and centralized logging and auditing of all
cryptographic functions and data access events. The DataSecure platform maintains a
variety of detailed logs to record all administrative actions and cryptographic activity on
the appliance. Not only is every cryptographic function logged, but real-time reporting
allows for immediate detection of any potential threats.
DataSecure can capture all encryption activity—even across disparate databases and
applications—and house this logging data in a central, standardized fashion. Compared
to the traditional, time-consuming process of manually gathering and analyzing
information from multiple application and database logs, this centralization provides
much greater efficiency and control.
Consolidated logging information and audit reporting enables auditors to easily
understand who accessed what data and which administrators made changes to
encryption configurations or key management policies. DataSecure tracks administrative
actions, such as key creation, access control management and policy management to an
audit log.
Further, DataSecure offers a detailed activity log, tracking all key usage and data
access activity, including details such as accessing user, time of day, amount of records
accessed, related policy and more. All logs managed by DataSecure are tamper-proof
to allow for proof of authenticity over the events record, which guarantees a clear,
auditable history of data and user activity across all sensitive information. Consequently,
administrators can more efficiently comply with the logging and auditing requirements of
such regulations as PCI-DSS.
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 13
14. Performance and Availability
Given the vital role databases play in today’s infrastructures, performance and
availability of encryption and associated processes is a critical consideration. The
following section compares the performance and availability characteristics of native
SQL Server encryption and DataSecure.
Performance
Native SQL Server Encryption
With Native SQL Server encryption, cryptographic processing and capabilities get added
to a database platform that was not originally designed for, or optimized for, security
processing. Further, since cryptographic processing takes place on the same machine as
other business applications, the performance of these systems often starts to suffer. This
performance degradation can be especially pronounced in performance-intensive batch
processing and OLTP environments.
Microsoft has officially stated that systems in heavy daily usage should expect up to
a 28 percent performance hit just from employing TDE, and organizations employing
EFS or Biltlocker can expect an additional performance hit of 5-20 percent. In addition,
during data migration operations (for example, when initially deploying encryption),
performance suffers even more dramatically. The following is a quote from Microsoft SQL
2008 PCI compliance guide: “Because the initial encryption scan spawns a new thread,
performance is most sharply impacted at this time; expect to see queries perform several
orders of magnitude worse.”1
To boost performance, organizations have no choice but to add more database servers
to their infrastructure, which represents not only more upfront costs, but ongoing
administration—and it further compounds the risk of having keys and encryption
managed in a disparate fashion.
DataSecure
By offloading cryptography to a dedicated and specialized cryptographic appliance,
DataSecure delivers better performance than SQL Server’s native encryption, especially
during batch processing.
DataSecure also provides special batch processing utilities for both database tables
and flat files that need to be imported or exported. These utilities are designed to take
advantage of the high-speed cryptographic accelerator hardware in the DataSecure
appliance and are ideally suited for many batch applications. As a result, DataSecure can
transform large databases into encrypted format, or rotate the keys on existing data and
completely re-encrypt it, with minimal impact on the live database system.
Both from a performance and security standpoint, it is typically recommended that
organizations offload encryption from database platforms and onto the DataSecure
appliance. However, in some cases, database administrators prefer to handle this
encryption locally on the database platform. In these cases, DataSecure will also support
this approach, enabling organizations to employ cryptographic processing on the
database server itself.
Availability and Recovery
Native SQL Server Encryption
TDE uses a key hierarchy comprised of a master data protection API (DPAPI) key, a server
master key (SMK), and a set of database keys (DMK). All SMKs and DMKs are stored
within the SQL Server master database, and the user is required to manually backup
the keys to file using SQL statements to ensure data is recoverable in case of a disaster.
Further, since all key backup operations are manual and need to be performed on each
database server, the process of managing a secure backup repository of keys, key
locations, and the intended use of keys becomes an intense and complex challenge.
1 Microsoft, “Database Encryption in SQL Server 2008 Enterprise Edition”; Section: “Impact on the
Database”—http://msdn.microsoft.com/en-us/library/cc278098.aspx#_Toc189384684
White Paper: SafeNet DataSecure vs. Native SQL Server Encryption 14