TDE vs. Cloud Provider Encryption of Database Information
I wanted to share some information I sent over to a reader about TDE vs. Azure vs. provider-encrypted databases. Specifically how do you compare, and how do you choose. This particular reader is in the healthcare space, but the information is more about my own experiences and choices, and I thought I would share it. Would love to have your feedback and thoughts as well below, after this posting.
The question, at the core was, when it comes to protecting personally identifiable information, do I recommend TDE over Azure, or is the Azure protection provided natively able to cover what’s needed to protect the information? (I’m paraphrasing of course).
My thoughts:
~ ~ ~ ~
I think the decision will be based on what you’re trying to do and protect. Data at rest (only) – where you’d use TDE, probably is very similar to the Azure systems and, you’re right, the backups become a non-issue. The biggest difference there becomes access to the management of the keys. With Azure, it’s Microsoft. With TDE, you own and manage the keys. So, part of the decision becomes your own paranoia levels.
But perhaps more importantly, make sure you check on any best practices or regulation requirements for your industry. There are some that are being more aggressive than others when it comes to encryption and management of the keys.
For me, the whole TDE/data at rest thing is a bit misleading as a singular line of defense. That only really applies if someone gets ahold of the physical files. Otherwise, if they can get into the db, they’ll typically also be seeing your data – they can select against it and see the information, etc. As long as they can get into the db.
What we do is TDE on the basic level, then we do columnar encryption on key columns like credit cards, other PII. It’s perhaps a bit paranoid, but I figure it’s at least protecting stuff. That way if someone does manage to get in, they get garbage without proper keys. At the same time, I’m protecting data at rest.
SO the core question of which is better – for data at rest, for me, it’s a "6 of one, 1/2 dozen of the other" when comparing. Sure, the key management comes into play, but taking that aside, TDE vs. Azure for protecting data at rest is a pretty even game. The issue though, for me, has been implementation of the columnar encryption and the options you have there. That’s why we’ve stayed with AWS to-date, waiting for these technologies to catch up and offer more. It’s moving very, very fast, but that doesn’t help your today question.
If I were you…
1. FInd out what regulations apply, find out if there are requirements you need to address, make sure they’re covered.
2. Ask the providers (Azure, AWS) how they address healthcare requirements for PII protection
3. Consider how you encrypt stuff to address #1
4. Pick a longer-term platform solution that will work for you over time and make it work with your encryption needs
There are big differences between the platforms and how they implement management, what the tools look like and how they act. It would be a shame to pick a platform based solely on this question – I think you almost have to consider the whole picture first, then figure out any specific workarounds you need.
Determine if you need a key management solution (likely that you do) and, in particular whether you want to mange the keys (best idea) or let your provider manage them. Without getting all commercial on you, contact Townsend, see what they suggest. They’re pretty straight players on how it works. Then talk with Azure folks and AWS folks about their key management too. There will be enough information there to pick and choose and move forward on how you want to deploy.