Re: [External] [SECURITY] Data at Rest Encryption Databases

["Oscar D. Knight" <knightod () APPSTATE EDU>]

Hello Matt,

Please know that I'm not a db administrator.  And I know that there are
MANY different opinions on this matter.   The following is MY OPINION.  I
speak for me and not my employer on this issue.

We have been unencrypted and encrypted - in different ways...
If you are an Oracle shop and use their encryption product then it WILL
impact your db operations, things like backup and replication, etc.  This
will be true for other products that encrypt at the column or table level.
Any respectable DBA should push back with how this type of encryption will
impact the business operations.  This would be an example of a DBA doing
their job.

When we implemented at the db level with oracle's product, yes our DBAs
pushed back.  We did it anyway.   Oracle's product is good, that's not the
problem.

The problem is typically around what you are trying to achieve.   What
risks are you attempting to mitigate?  I contend that most db compromises
are via the application, i.e. db authentication was not compromised.  The
application was the conduit to the data.   One should NEVER do something
just because it SEEMS LIKE A GOOD IDEA or IT'S A BEST PRACTICE.  There
should be some identification of the risks and their likelihood, then
perform an analysis (might include identification of) of the mitigation
methods.

If you want what I like to call TRUE data at rest encryption then look for
a storage solution that transparently encrypts the storage.  If a drive is
stolen or improperly disposed of and 'stolen' then the data is encrypted.

I believe that database encryption at the database level is not cost (not
just $) effective.  And it surely does not magically make everything
"good".   I believe it's better to identify the risks around the database
and work to mitigate those risks.   The first risk is the one that exists
in all models - the application level!

Please know that I'm not being critical of database encryption.  It is a
valid method of data protection.  I personally believe there are other
methods that offer more for the cost in dollars, people time and complexity.

More directly to your issue, if you have a chance to ask the assessor what
risks the recommendation is intended to mitigate then you can then look at
other methods to mitigate that risk.  If the assessor did not say anything
about your applications that integrate with your db then well...

Hope this helps,
Oscar
-- 
NOTE: ASU ITS will NEVER ask you for your password in an email!
Oscar D. Knight                                        knightod at appstate
dot edu
ITS, Office of Information Security                           Voice:
828-262-6946
Appalachian State University, Boone, NC 28608         FAX: 828-262-2236

On Wed, Nov 11, 2020 at 9:42 AM Mattehew Prescott <matt.prescott () acu edu>
wrote:

> Does anybody do data at rest encryption on your databases, specifically
> Banner, Titanium, or SQL Server?
> How hard was it to implement?
> Did your DBAs push back?
> What tools did you use?
> This was an item that came up in one of our self-assessments.
>
> Thanks,
> Matt Prescott, Security Analyst
> Information Technology
> (o) 325-674-2882
> Abilene Christian University
> [image: Abilene Christian University]
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community