7 common misconceptions about database encryption

With technological advancements, we are easily able to store documents and records of medical information, tax, financial transactions and other important information electronically. Prior to this, physical copies were held in safes or archives, but today databases allow the storage of important data. Electronic storage has allowed a variety of data to be easily readily available for sharing between many people and organisations.

However, such databases that contain important information have become targets for threatening hackers. Every year with increasing frequency, hackers mobilize a variety of hacking methods to target databases with important information causing data leakage. Encryption is one of the best security measures today to deter attacks of hackers. If it really is this simple, why is database encryption not widely used? The lack of awareness regarding database encryption is only a part of the reason. Let’s take a look at 7 common misconceptions regarding database encryption.

1. Encryption is all about fancy algorithms

How well an information security company can encrypt data is not based on how well they can create complex and impenetrable algorithms. Surprisingly, most algorithms used by encryption companies are international standard algorithms that are publicly available. It is through how these algorithms are managed that sets companies apart. What’s the key factor? It is in fact, the actual “key” needed to decrypt the encrypted data and how well it is stored. If the key is not stored securely, anyone would be able to decrypt the encrypted data. For great encryption security, there needs to be a proper key management system. This way it is possible to manage who has access to the keys, and ultimately access to the data.

2. The database is secure from the threat of hackers because it is not directly connected to the internet

Just because the database is not directly connected to the internet, it does not mean the database is secure from external threats. Even just acquiring a computer with access to the database could allow data leakage, and as such there are a variety of external methods that can be used to breach database security. Applications connected to the internet usually communicate with the database through specific codes. Hackers now exploit these codes—most popularly SQL codes, in order to harm databases. Though not directly connected, by breaching the application, hackers can still indirectly access the database. The only way to prevent web attacks at the application level is through web application firewalls. Once your web server is compromised, your database is just as exposed.

3. Hackers only target big giants

The news only covers large corporations suffering from database breaches. However data security accidents happen to all sizes of businesses regardless of size, and are a growing concern. This is why database security accidents are a growing concern regardless of business sizes. Safeguard protocols have been set up as preventive measures such as the Health Insurance Portability and Accountability Act (HIPAA) compliance in the medical industry, and the Payment Card Industry Data Security Standard (PCI DSS) compliance for credit card industry. These compliances require encryption of the sensitive data stored in respective databases. Organizations must meet compliance in order to protect sensitive data and failing to meet these compliances can result in harsh penalties. Such compliances would not be in place if it was not considered of only giant companies.

4. Data is safe from internal threats

With the use of web application firewalls and secure coding, people may think that their database is safe. This could be true, but in reality, an insider could be even more dangerous. Sometimes, malicious insider data theft attempts or fatal mistakes by users are the cause for data leaks. For example, in 2015 a database of information on 191 million US voters was exposed on the open internet because it wasn’t configured properly. Malicious insiders are even more dangerous as they know exactly where everything is. This allows them to pick and choose the information they want to take. To protect against internal security threats, a proper security solution needs to provide adequate access control policies and authorization that separate the roles of the security administrator and the database administrator. Only users that comply with the policies set up by the security administrator should be able to access encrypted data thus creating proper data security.

5. It is difficult to apply encryption

There is always an easier solution; it is about finding the right encryption solution for your database. Some database products will require changes to applications, queries, or codes, which can cause a huge strain for engineers applying the encryption– but it doesn’t have to be this way. Transparent Data Encryption (TDE) allows for encryption at the engine-level and does not require change to applications, queries, or codes. Before, only commercial DBMS could apply engine-level encryption as the database manufacturer had control over the source code of the DB.

Information security companies, however, started offering engine-level encryption solutions for open source databases such as MySQL, MariaDB, and PerconaDB to provide the same protection that commercial DBMS have. It is about finding the right solution that offers engine-level encryption. This would allow administrators to apply encryption to their database by simply installing the encryption engine into the database– even without the help of engineers.

6. Encryption affects system performance poorly

Many companies worry their system performance will decrease after encryption and hesitate in using it. As all files within the database have to be encrypted and decrypted entirely, it can impact the system performance poorly, and make access control complicated and difficult. However, there are ways such as column-level encryption that is offered by some encryption companies that allow for selecting of desired columns (specific individual/personal information or other important internal information) for encryption. Instead of every single file, by efficiently encrypting and decrypting only necessary columns, the burden on system performance can be lifted. Encryption can also be done by index style which only encrypts a part of the information which also increases the search speed of encrypted columns. Efficient encryption allows for a smooth system experience.

7. To have proper database security, one must know cryptography

It is not impossible for a company to be able to use a database and search for all adequate security solutions and implement them on their own. However this becomes cost-ineffective. The company would have to hire cryptography experts as the chance a company to just have spare specialized cryptography experts is rare. They would need developers and engineers to implement the encryption, keep the security in check, and also upkeep maintenance. It would be rather reckless for a company to hire cryptography experts in order to simply use a database. Companies should let the encryption companies take care of the implementation, security, and maintenance of their database. After all, when we go to a luxury hotel room, we don’t study about the card access to our hotel room door, nor do we hire a security expert that knows about access cards and scanners. We simply go to enjoy the comfort of the hotel room, knowing that the security has been cared for already.