Database Security - School of Computing

Database Security - School of Computing

Database Security & Encryption [email protected] 1 A Truly Secure Database 2 So In The Real World Database security protects the database against

unwanted effects, accidental or deliberate There is always a trade off between high security and performance/user convenience Excessive security can in itself be a security threat - workarounds The first step is always a security audit This lecture looks at the use of encryption as part of a security policy 3 Excessive Security Can In Itself Be A Security Threat Dilbert 4 Before Deciding on Encryption

Know the data and the database What should be encrypted? Which encryption algorithms? DBMS or external encryption? What is the acceptable performance hit? Who are you protecting against? Is the benefit worth the cost? 5 The Role of Encryption

Most database security techniques focus on controlling access passwords, privileges, encrypting data as it travels There is much less focus on protecting data at rest (data in storage) We are assuming here that access encryption has already been used this lecture focuses on data in storage Encryption is increasingly being used to protect data in storage Which includes backups And all the pen drives, portable hard drives, mobiles that get lost or stolen

Encryption is often described as the last line of defence 6 Whole Database Encryption The whole database is encrypted This protects the data at rest but requires decryption for use Whole DB encryption has traditionally been

regarded as too expensive SQL Server TDE, new with 2008, claims to reduce the performance hit but still acknowledges a cost (1) 7 8 (2) Partial Data Encryption Partial encryption provides more granularity plus the data is not decrypted until it is used

Usually referring to column encryption although it can also be cell level or encryption of DB objects such as triggers Rule of thumb encrypting a single column is likely to produce a 5% performance hit, but this varies wildly Traditional partial encryption can produce a massive performance hit as indexes are not recognised but this depends on the DBMS

Highly configurable can allocate different keys to different users With the downside that this increases the key management problem 9 Partial Data Encryption For SQL Server 2008, Microsoft suggest that with cell level encryption, basic query performance tends to be around 20% worse. Problem increases with scaling

One sample application with 10,000 rows was four times worse with one column encrypted, and 20 times worse with nine columns encrypted. Because cell-level encryption is custom to each application, performance degradation will vary depending on application and workload specifics. (1) Custom to each application - this is an it depends area 10 The Encryption Process Plaintext Encrypt

Cyphertext Decrypt Plaintext 11 Encryption Algorithms: Data Encryption Standard DES has a short (56 bit) key plus 8 bits used for parity checking

Very susceptible to brute force attacks No sane security expert would consider using DES to protect data. (2) Now outdated older versions of DBMS encryption routines used DES e.g. early versions of Oracle 12 Encryption Algorithms: 3DES The limitations of DES led to 3DES uses the DES

algorithm but employs a triple key approach Plain Text Much more secure but slower Cipher Text 13 Encryption Algorithms: AES Key size 128,192 or 256 bits

Consists of a set of processing rounds the number varies depending on the key size e.g. 14 rounds for 256 length keys More secure 14 Encryption Algorithms:RC5 Symmetric (same key used for en/decryption) block cypher

Fast and flexible the user can specify the number of rounds Allows for a variable length key Supported in Oracle & DB2 15 Encryption in the DBMS Some of the initial problems with DBMS

encryption are on the way to being solved Disk size was a major problem as ciphers may produce output in fixed block sizes, meaning that the input must be padded requiring resizing of columns DBMS encryption was typically criticised for using outdated algorithms such as DES & even 3DES Sometimes compatibility issues A plus with DBMS encryption is that there should be minimal change implications 16 Key Management

The encryption is only as secure as the key DBMS based encryptions (typically) store the key inside the database Which raises issues such as How many keys Who manages them Where are they stored What happens if you lose your key? 17 Encryption Servers

As an alternative to encrypting within the DB, a central encryption server can be used to encrypt data in applications as well as in the database This is a heavily vendor led area; benefits claimed include The downside is:

More secure key management Wider choice of algorithms Wider coverage of data Easier management of encryption Removing computation overhead from DBMS/application servers Added complexity Applications changes Cost And is the extra layer necessary?

18 Further Work You should understand the significance of the different encryption algorithms but the main areas to focus on are: The benefits of encryption in a DB context The downside to encryption in a DB context The business environment in which encryption would be useful What and how you should encrypt if you decide encryption would be useful How encryption would fit into your overall DB

security policy 19 And a personal opinion My view: If someone truly wants to get into your database, they will probably manage it The biggest risk to data is accidental or casual intrusion People will lose pen drives but an encrypted pen drive should not be too much of a problem Should we focus less on the main database and more on data storage?

20 References 1. 2. 3. cc278098.aspx bb934049.aspx 21

Recently Viewed Presentations

  • Primate Evolution - Weebly

    Primate Evolution - Weebly

    First hominids were in genus . Australopithecus "Lucy" most famous fossil hominid "Ardi" is the oldest Hominid. More modern hominids were in genus . Homo. Examine the Evidence: Primate skeletons:-Long . fingers and toes . are good for climbing trees...
  • toleransi ummah 17 Ogos 2018/5 Zulhijjah 1439H Puji-pujian

    toleransi ummah 17 Ogos 2018/5 Zulhijjah 1439H Puji-pujian

    Sikap pegangan kehidupan dalam masyarakat yang memberi erti tidak idealisme, tidak fanatik, tidak 'selfish' iaitu mementingkan diri sendiri, mempunyai sikap keterbukaan, realistik, muafakat, tolak ansur, sabar dan menghormati hak orang lain. Pengertian. Toleransi. Ummah: penting untuk dipraktikan dalam kehidupan sebuah...
  • Personality Theories - Mr. Hunsaker's Classes

    Personality Theories - Mr. Hunsaker's Classes

    Preconscious: Material just beneath the surface of awareness. Unconscious: Difficult to retrieve material; well below the surface of awareness. The three divisions of the mind are the conscious, preconscious, and unconscious. The unconscious can be revealed in dreams and Freudian...
  • FORESTRY TEST BASICS - Hopkins High School

    FORESTRY TEST BASICS - Hopkins High School

    Minnesota Vegetation Biomes Laurentian Mixed Forest Mainly coniferous with mixes of aspen and some small pockets of other deciduous hardwoods Eastern Broadleaf Forest Mainly deciduous forest trees including oaks, maples, basswood, hickories Prairie Parklands Prairie grasslands Aspen Parklands Aspen savanna...
  • Dental Handpieces and Accessories Chapter 35

    Dental Handpieces and Accessories Chapter 35

    Prepares a tooth surface for the cementation of a cast restoration, such as a crown or veneer. Design Operates at speeds up to 20,000 rpm. Uses laboratory burs. Provides greater torque than handpieces used intraorally. ... Introduction Rotary instruments complete...
  • A Midsummer Nights Dream Shakespeares History of Shakespeare

    A Midsummer Nights Dream Shakespeares History of Shakespeare

    A Midsummer Night's Dream Shakespeare's History of Shakespeare Characters Key Plot Points Key Plot Points Process Drama Finished Project Born In _____ Attended _____ school Began producing and writing plays in _____ Characters Hippolita Theseus Tatiana Oberon Puck Hermia Helena...
  • Understanding Your PLAN Results - Union County Public Schools

    Understanding Your PLAN Results - Union County Public Schools

    Understanding Your PLAN Results. Cuthbertson High School Parent Night ... Students take 4 timed tests. About the Test ... 22 Geometry. 18 Reading. 25. 20 minutes. Science. 30. 25 minutes. These sections align with the sections on the ACT. (plus...
  • Quantifiers - University Of Maryland

    Quantifiers - University Of Maryland

    Alternating nested quantifiers. Notice the differences between the following: ∀?∈ℕ∃?∈ℕ[?<?]True (ℕ unbounded from above) ∃?∈ℕ∀?∈ℕ[?<?]False (ℕ unbounded from below)