Safeguarding Sensitive Data in Microsoft SQL Server Databases
Encrypting sensitive data in Microsoft SQL Server databases has clearly gone beyond optional, and is now a firm requirement. Whether an organization is looking to secure intellectual property, comply with privacy or regulatory mandates, or simply guard the organization’s brand against the damage associated with data breaches, database encryption represents a vital imperative.
By encrypting sensitive data in SQL Server databases, organizations can establish a strong line of defense that can help secure sensitive assets against a range of threats. However, while the reasons to adopt database encryption are clear, that doesn’t mean the effort is simple. In fact, for many organizations, database encryption has presented a range of obstacles, including degraded database performance, laborious revisions to application code, and complex and time consuming key management efforts. While SQL Server offers Transparent Data Encryption (TDE) capabilities, this approach can also pose significant challenges.
Today, many versions of Microsoft SQL Server provide TDE functionality. Through this functionality, customers can encrypt data at the database or cell level. TDE is referred to as "transparent" since for some implementations, it can secure the SQL Server data without requiring application changes to take advantage of the database encryption functionality.
While TDE can be a good fit in some customer environments, many organizations encounter these challenges:
- Administrative complexity. In most organizations, SQL Server will be one of many areas in which encryption is employed. Data in other applications and databases will often need to be encrypted as well. Given that SQL Server TDE encryption only supports encryption in SQL Server environments, this means that organizations will require separate products, training, and workflows for multiple encryption implementations. This results in a significant increase in the cost and administrative effort associated with encryption.
- Insufficient capabilities for managing policies and keys. SQL Server TDE only offers minimal capabilities for managing encryption keys. In virtually all cases, organizations need to employ separate hardware security modules (HSMs) or third-party key managers to gain the capabilities required. Given that each instance of SQL Server requires a separate encryption key, having separate, disparately supported key managers results in a high degree of complexity, and exacerbates the risks of having keys lost or stolen.
- Reduced performance. SQL Server TDE does all encryption operations within the database itself, which imposes a significant hit on database server resources.
- Data surrounding the database remains exposed. The database is part of a larger ecosystem of information flows, including backups, archives, extract-transform-load (ETL) files, and reports. While with SQL Server TDE, a specific asset may be secured when stored within the database, what happens, for example, if a spreadsheet report that contains sensitive data is extracted from the database? SQL Server TDE can’t support the encryption of unstructured data outside of the database, which means this sensitive information may be exposed.
- Limited database support. TDE functionality is not available on many older releases of the SQL Server database. However, for a number of reasons, for example, given the constraints of associated packaged applications, many organizations haven’t been able to upgrade to more current versions of the SQL Server database that do offer TDE support. As a result, organizations that rely solely on SQL Server TDE may not be able to address significant gaps in coverage.
The Vormetric Data Security Platform enables you to encrypt and secure sensitive assets in your SQL Server databases, while avoiding the challenges traditionally associated with this form of encryption. Vormetric offers these solutions for SQL Server environments:
Vormetric Transparent Encryption offers the capabilities you need to employ strong database encryption, with minimal effort and performance implications. With Vormetric Transparent Encryption, you can secure sensitive assets in your SQL Server databases, and in all the other databases running across your enterprise, including Oracle, IBM DB2, MySQL, Sybase, and NoSQL. Vormetric Transparent Encryption offers these key features:
- Seamless implementation. By leveraging this solution’s transparent approach, your organization can implement database encryption, without having to make changes to your applications, infrastructure, or business practices.
- Granular access controls. Vormetric Transparent Encryption provides fine-grained, policy-based access controls that restrict access to encrypted data. Privileged users—whether cloud, virtualization, or database administrators—can manage systems, without gaining access to encrypted data, unless they have expressly been granted permissions to do so.
- Detailed security intelligence. Vormetric logs capture all access attempts to protected data. These security intelligence logs can accelerate detection of advanced persistent threats (APTs) and insider abuse because they offer visibility into file access. Further, these logs provide the vital intelligence needed to track and demonstrate compliance.
For organizations that need to apply more granular encryption, including at the column or field level within databases, Vormetric offers Vormetric Application Encryption. Vormetric Application Encryption simplifies the integration of encryption into existing corporate applications. The product features standard-based APIs, which are used to perform cryptographic and key management operations. Vormetric Application Encryption equips you with these capabilities:
- Protect sensitive data. Vormetric Application Encryption enables you to stop unauthorized individuals—whether they’re malicious administrators, hackers, or authorities with subpoenas—from accessing valuable data in databases.
- Deploy with confidence. Vormetric offers high-performance encryption and key management agents that have been proven to deliver the availability and performance needed in the most processing-intensive environments. The solution has been proven to scale to support 50,000 cryptographic transactions per second.
- Support heterogeneous environments. Vormetric Application Encryption makes it simple to extend application-layer encryption across virtual, cloud, big data, and traditional environments that run Linux and Windows.
For enterprises that have chosen to use SQL Server TDE in their SQL Server environments, Vormetric offers a solution that enables secure and efficient management of cryptographic keys.
Vormetric Key Management can centrally manage keys for SQL Server TDE, all Vormetric products, Oracle TDE, and other Key Management Interoperability Protocol (KMIP)-compliant encryption platforms. As a result, organizations can more centrally and securely manage all their encryption keys, while streamlining key administration efforts.
By leveraging Vormetric Key Management, security teams can avoid the cost and effort of having to support multiple key managers—and more easily ensure keys are properly stored, secured, and backed up. Vormetric Key Management also offers these advantages:
- Manageability. Vormetric Key Management provides key generation, recovery, and expiration tracking for the master and database encryption keys for all integrated encryption devices.
- Availability. Vormetric Key Management increases data availability by storing encryption keys in highly reliable Data Security Manager appliances, which can be configured in a redundant fashion to support failover and disaster recovery.
- Granular access controls. Vormetric Key Management provides separation of duties between IT functions and encryption key management, including key generation, storage, expiration tracking, and auditing of key operations.
The Advantages of Vormetric Data Security Platform
The Vormetric Data Security Platform makes it simple to manage data-at-rest security across an entire organization. The solution enables organizations to encrypt sensitive data on Microsoft SQL Server and other servers, control access to that information, report on who is accessing the protected data, and leverage integrated encryption key management.
The Vormetric solution offers the following advantages:
- Comprehensive security coverage. While TDE can protect data within the database, Vormetric solutions secure data both inside and outside of the database. Further, Vormetric enables customers to encrypt SQL Server databases—including 2005, 2008, and 2012 releases—as well as Oracle, IBM DB2, MySQL, Sybase, and NoSQL. Vormetric solutions secure data on Windows, Linux, and UNIX operating systems, and they offer coverage of physical, virtual, and cloud-based servers.
- Operational efficiency. By offering a single console for managing encryption policies and cryptographic keys across a number of environments and technologies, Vormetric minimizes administrative overhead. With this unified coverage, Vormetric helps security teams avoid database encryption silos, reduce costs, and apply security policies more broadly and consistently.
- Robust, scalable performance. Compared to SQL Server TDE, Vormetric offers far superior performance. With Vormetric, encryption and decryption is performed at the optimal location: in the file system or volume manager. Further the solution can take advantage of microprocessor encryption technology, such as Intel AES-NI, to further minimize the performance overhead of encryption.