Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Encryption of data at rest

Posted on 2011-03-21
7
Medium Priority
?
394 Views
Last Modified: 2012-05-11
Some questions about encrypting data at rest. Do you use your database platforms ability to encrypt data at rest? We don’t store credit card details but some of our databases do have bank details like account name and number, sort code etc, and personal details like name, national insurance, date of birth etc.

If you follow all best practice around hardening, i.e. use strong passwords, no default passwords, patch the database and OS of DB server, set appropriate ACL to the server (small amount of trusted administrators only) and server shares etc, do you still have to encrypt data at rest in the database? And if so why?

I can see there’s a threat motive for a naughty insider to potentially steal a load of bank account numbers and sort codes (suspect that alone is not enough to commit fraud), it’s a db server in a large 2003 windows domain (database servers not vlann’ed), so there’s a decent size of threat agents, but as to skill level they’d need, if best practice hardening is in place, passwords aren’t weak, servers are patched etc – then I personally have no idea how they’d actually get in the database (anyone?), the app is an internal app not a web facing etc etc.

So, with best practice hardening in place in the DB environment, is it worth encrypting the data at rest, if yes why and how can they get at that data, if not again why so? If the server was in a private VLAN would that affect the decision? Or should it still be encrypted?

Aside from whether to or not to encrypt data at rest, does encrypting data at rest affect db or application performance, and is there any additional cost directly or indirectly in getting the data at rest encrypted? Or anything else we need to know as to encrypt the data or not?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 15

Accepted Solution

by:
Aaron Shilo earned 500 total points
ID: 35180360
hi

as a dba im asked to harden my system agenst threats from within and out the system (company)
and i allwys have in mind that "NEVER SAY NEVER" and "BETER SAFE THAN SORRY" and
"ALWAYS EXPECT THE UNEXPECTED" that is why i walwys use any means of protection i have.

read more about best practices for security in sql server here: http://www.greensql.com/content/sql-server-security-best-practices
0
 
LVL 3

Author Comment

by:pma111
ID: 35180859
I assume that means you do use database encryption of data at rest?

Do it affect performance in any way, and can it lead to added expense $$ directly or indirectly
0
 
LVL 15

Expert Comment

by:Aaron Shilo
ID: 35181176
=> I assume that means you do use database encryption of data at rest?

Yes I do When requested to harden a server and save money on thierd party sofware.

=> Do it affect performance in any way, and can it lead to added expense $$ directly or indirectly

yes it does , read this :
http://ezinearticles.com/?SQL-Server-Optimization-and-the-Performance-Impact-of-Encryption&id=1416294
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 21

Expert Comment

by:mastoo
ID: 35181808
Somebody running out the door with your hard drives might make it on your list of worries.  Encryption at rest is nice for that worry.
0
 
LVL 3

Author Comment

by:pma111
ID: 35181900
I see what you are saying mastoo but theres a pretty secure data centre to be honest so I think the likelehood there is pretty low but not impossible
0
 
LVL 21

Assisted Solution

by:mastoo
mastoo earned 500 total points
ID: 35182003
Disgruntled employee carries drives out, or maybe a failed drive gets replaced and it is still readable.  All unlikely but they come up in audits.  But regardless of the risks...

You might find your OS and server hardware already support hardware based encryption (ala bitlocker), which has minimal performance overhead.
0
 
LVL 3

Author Comment

by:pma111
ID: 35182039
In our case the data centre is off site and managed by a 3rd party, its pretty secure building retina scanners etc, so it would have to be a disgruntled 3rd party employee. I think its a decent measure for general piece of mind tbh
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog post, we’ll look at how using thread_statistics can cause high memory usage.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question