RJ's SQL Server and MySQL Notes

Notes on SQL Server and MySQL

A Fool and His Data Soon Part

Posted by rjssqlservernotes on April 18, 2014

Data breaches are making news every day. Retailers Michaels, Target, and Neiman Marcus recently made the front-page news as did Marriott, Holiday Inn, Sheraton, and other hotels due to large-scale data breaches that released sensitive customer data. In some cases the data was stolen at the point-of-sale terminal prior to storage; nonetheless, these incidents should be a wake-up call for all of us responsible for securing our company’s data.

The Open Security Foundation’s graphic below suggests that 34% of data theft is the result of an insider while 58% are external attacks. I have long argued that database encryption can mitigate the damage caused by a data breach; yes, the attackers have your data, but little good it will do them without the encryption keys. For those who suggest that a data thief could mount an unrestricted brute-force attack against the encryption keep in mind that it took 5 years and 2,700 distributed computers to crack a 64-bit symmetric encryption key (how long would it take for a 128 or 256-bit key?).

OpenSecurityFoundationAttackVectors

 Source: Open Security Foundation

I’ve written in the past about encryption, in general, and Transparent Database Encryption with SQL Server, specifically, in support of my mantra regarding data security.   The performance and implementation costs of using TDE are negligible providing excellent protection against loss while the data is at-rest. Another benefit of TDE is that the backup files for the database are also protected eliminating another attack vector.

Are there drawbacks?  Yes, using any encryption on the database will increase the backup file size and empirical data has demonstrated an average 10% performance penalty when using TDE.

Backup files are notoriously susceptible to theft providing easy access to the data with a simple restore command; however, SQL Server 2014 allows us to encrypt the backup even if we chose, foolishly, not to encrypt the database itself by including a simple with encryption to our backup script.

Along with the new Server Roles for DBAs and database backup encryption now available in SQL Server 2014 allows us to augment our protection against insider attacks.

Advertisements

Sorry, the comment form is closed at this time.

 
%d bloggers like this: