A practical implementation of transparent encryption and separation of duties in enterprise databases: protection against external and internal attacks on databases

Security is becoming one of the most urgent challenges in database research and industry, and there has also been increasing interest in the problem of building accurate data mining models over aggregate data, while protecting privacy at the level of individual records. Instead of building walls around servers or hard drives, a protective layer of encryption is provided around specific sensitive data items or objects. This prevents outside attacks as well as infiltration from within the server itself. This also allows the security administrator to define which data stored in databases are sensitive and thereby focusing the protection only on the sensitive data, which in turn minimizes the delays or burdens on the system that may occur from other bulk encryption methods. Encryption can provide strong security for data at rest, but developing a database encryption strategy must take many factors into consideration. We present column-level database encryption as the only solution that is capable of protecting against external and internal threats, and at the same time meeting all regulatory requirements. We use the key concepts of security dictionary, type transparent cryptography and propose solutions on how to transparently store and search encrypted database fields. Different stored data encryption strategies are outlined, so you can decide the best practice for each situation, and each individual field in your database, to handle different security and operating requirements. Application code and database schemas are sensitive to changes in the data type and data length, the paper presents a policy driven solution that allows transparent data level encryption that does not change the data field type or length.

[1]  Alan O. Freier,et al.  SSL Protocol Version 3.0 Internet Draft , 1996 .

[2]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[3]  Ward Rosenberry,et al.  Understanding DCE , 1992 .

[4]  Nabil R. Adam,et al.  Security-control methods for statistical databases: a comparative study , 1989, ACM Comput. Surv..

[5]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[6]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[7]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[8]  Wolfgang Rankl,et al.  Smart Card Handbook , 1997 .

[9]  Ramakrishnan Srikant,et al.  Implementing P3P using database technology , 2003, Proceedings 19th International Conference on Data Engineering (Cat. No.03CH37405).

[10]  Sean W. Smith,et al.  Improving DES hardware throughput for short operations , 2000 .

[11]  Teresa F. Lunt,et al.  A survey of intrusion detection techniques , 1993, Comput. Secur..

[12]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[13]  Scott B. Guthery,et al.  Smart Card Developer's Kit , 1998 .

[14]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[15]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[16]  Ramakrishnan Srikant,et al.  An XPath-based preference language for P3P , 2003, WWW '03.

[17]  S. Garfinkel,et al.  Web security & commerce , 1997 .

[18]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[19]  Rakesh Agrawal,et al.  Watermarking Relational Databases , 2002, Very Large Data Bases Conference.

[20]  Kevin Loney,et al.  Oracle8: The Complete Reference , 1997 .

[21]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.