Data Security – Is Encryption Enough?
Once encryption is turned on – many people step aside from worrying about data security – information security. With things encrypted, are you safe and secure and can focus on functional items?
Yes, and no.
The “Yes” portion comes from the fact that your data is protected if someone gets a copy of your database or access to the database files. It’s encrypted, so the information in those files – the data at rest – is protected.
But the issue comes in when you have “legitimate” access to information – this is the case with SQL Injection, or when someone has a legit user name and password connection to the SQL Server, regardless of whether they have any right to that information.
With many solutions, information is automatically encrypted/decrypted as it’s accessed… transparently to the application even. While this is great for backwards compatibility and easy implementation, it doesn’t protect data in transit, or legit data access – only data at rest. I’ve had this conversation with a couple of people now, explaining that data security is a more complex challenge than just data at rest.
Are you finding it difficult to get the right pieces in place?
Personally, I think it’s gotten tougher to find out the information you need to know to know what’s protected, what’s not, and what the conditions of access are that are covered. In different vendor’s rush to assure us all that our information is secure, so many others that I’ve talked to have simply set aside their concerns for data protection and assume it’s covered when the data platform provider indicates that information stored with them is encrypted atuomatically. Unfortunately it’s just not that simple.
Make sure you think data security at the different “inflection” points –
– data capture (injection, validation, appropriate access controls)
– data in transit (ssl)
– data at rest (encryption)
For each of these, consider legitimate access, legitimate access by nefarious actors, and illegitimate access. Each of these will play in what you end up deploying and what types of protection you’re providing.
What types of solutions are you putting into place?