As a result, database security is a top priority for today’s IT director. Yet, the shortcomings of many traditional database security techniques such as firewalls and application security have been exposed in recent years and it is now broadly recognized that these approaches to database security are no longer sufficient to protect businesses and data in today’s modern, open and complex IT environment. In trying to mitigate the risk of security breaches and to comply with numerous existing and emerging regulations, database encryption is often seen as the solution. Why is encryption often heralded as the best defense against database security breaches and how can companies overcome the oft-cited challenges associated with its implementation?
Advanced security through database encryption is required across many different sectors and is increasingly needed to comply with regulatory mandates. The public sector, for example, uses database encryption to protect citizen privacy and national security. Many governments now require their agencies to protect keys with hardware that complies with FIPS (Federal Information Processing Standard) or Common Criteria, two internationally recognized security standards. For the financial services industry, it is not just a matter of protecting privacy, but also complying with regulations such as PCI DSS. This creates policies that not only define what data needs to be encrypted and how, but also places some strong requirements on keys and key management.
It’s clear that in certain industries which handle particularly sensitive data, such as financial services and government, regulation has emerged as the true driving force for the increased use of encryption. Across enterprise as a whole, however, data security has only been accorded such importance more recently as enterprise struggles to contain the brand and reputation impact of data breaches. The majority of existing privacy laws only come into force once data is breached. Yet, times are changing and the U.S. state of Massachusetts has introduced regulation which stipulates that organizations will breach the law simply by not protecting data adequately in the first place.
While encryption is increasingly being advocated by regulators, often compliance with regulation is not enough. Indeed, Heartland Payment Systems in the U.S. has recently questioned the effectiveness of current industry security standards and is calling for the adoption of end-to-end data encryption. Criminals are becoming increasingly sophisticated and as Heartland demonstrated, can find ways to get around current security legislation. Consequently, industry regulation should be used simply as a starting point rather than an end point in the effort to protect sensitive data.
As corporate networks become more and more open to the outside to accommodate suppliers, customers and partners, network perimeter security is no longer sufficient to protect data. Industry experts have long recommended a “defense in depth” approach by adding layers of security around the data. With the network being regarded as inherently insecure, encrypting the data itself is the best option, often cited as the “last line of defense”.
In terms of database security, encryption secures the actual data within the database and protects backups. That means data remains protected even in the event of a data breach.