The Truth About Database Encryption
hink You’re Protected with Database Encryption?
Well, Think Again…
Five years ago, database encryption was regarded as the holy grail of data security. This was important because data centers were not well guarded from the outside world, and thus, a target for smart hackers, sneaking in through open firewall ports, connecting to the database servers, and copying the data files or stealing the backup tapes that contained your precious client list/credit cards.
As the data was encrypted – stealing the data files directly from the database server or backup tapes would only expose encrypted data.
Well, now a days the threat landscape has dramatically changed.
Next Generation Network Security
With the introduction of next gen firewalls, IDS, network segmentation, WAFs and PAMs, it has become impossible for a hacker or malicious insider to sneak into the database servers or backup tapes. As a result, the high-risk that justified the costly encryption project has been substantially reduced by complementary security technologies, while the residual risk cannot justify such a project.
A New Target: The Application Layer
Due to the introduction of these complementary security technologies and hardening database servers, hackers and malicious insiders are attacking the application layer – where encryption or tokenization security are useless.
I’m one of the 100,000 end-users, 3rd party workforce working in the call center of a Fortune 100 bank. I work in the CRM and other sensitive applications that allow me access to sensitive information to perform my job.
The bank has implemented a costly encryption solution over the last year. What has changed?
Nothing really changed on my end. I still access all personal and regulated data as before, even after the successful encryption project (as the applications are decrypting the data in the presentation layer so end users can read and write as business requires).
This means that although the bank has gone through a nightmare changing the data in the database and hurting performance (as every record needs to be decrypted or encrypted), nothing has really changed in the security posture of the Bank.
Hackers know that application screens and reports present the data in the clear (decrypted). In addition, these screens and reports do notmonitor my activities with regard to the personal and regulated data.
84% of organizations reported an application layer breach, and 95% of them were performed using the application-credential theft (hackers logging to the application using stolen credentials and seeing the data in the clear – decrypted).
It is important to add more security, but encryption/tokenization is like jumping from an airplane with a helmet covered with diamonds (encryption is not cheap…). It’s OK – but the chances that it will save you are really small. Ensure you jump with a parachute first.