Educause Security Discussion mailing list archives
Re: [External] [SECURITY] Data at Rest Encryption Databases
From: "Barton, Robert W." <bartonrt () LEWISU EDU>
Date: Thu, 12 Nov 2020 15:06:03 +0000
"All that said, sometimes doing something earns a check on a key checklist and helps with mitigating some of the reputational damage or in support of cyber security insurance requirements important even if the mitigation measures had no impact on the technical nature of the attack." Questions of db encryption have come from our cyber insurance provider and our auditors. Those are our two check boxes. Robert W. Barton Executive Director of Information Security & Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Jon Young <jon () NETWORK-PLUMBERS COM> Sent: Thursday, November 12, 2020 8:59 AM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [External] [SECURITY] Data at Rest Encryption Databases Matt, Put me in the skeptic camp of most approaches to database encryption. I suggest reviewing what you really get from any considered options for actual improved security versus theater. There are some cases where I agree meaningful attack vectors are disrupted, but I think far too often, the methods of db encryption are theater. See https://blog.cryptographyengineering.com/2019/02/11/attack-of-the-week-searchable-encryption-and-the-ever-expanding-leakage-function/ for a great description of some of the challenges around useful database encryption. I'm not saying to do nothing, and I think you've asked exactly the right questions to this list. I'm hoping to learn something new from the responses with so many smart and experienced people in the (virtual) room. All that said, sometimes doing something earns a check on a key checklist and helps with mitigating some of the reputational damage or in support of cyber security insurance requirements important even if the mitigation measures had no impact on the technical nature of the attack. Thanks, Jon Young Vantage Technology Consulting Group On Wed, Nov 11, 2020 at 10:36 AM Oscar D. Knight <knightod () appstate edu<mailto:knightod () appstate edu>> wrote: Hello Matt, Please know that I'm not a db administrator. And I know that there are MANY different opinions on this matter. The following is MY OPINION. I speak for me and not my employer on this issue. We have been unencrypted and encrypted - in different ways... If you are an Oracle shop and use their encryption product then it WILL impact your db operations, things like backup and replication, etc. This will be true for other products that encrypt at the column or table level. Any respectable DBA should push back with how this type of encryption will impact the business operations. This would be an example of a DBA doing their job. When we implemented at the db level with oracle's product, yes our DBAs pushed back. We did it anyway. Oracle's product is good, that's not the problem. The problem is typically around what you are trying to achieve. What risks are you attempting to mitigate? I contend that most db compromises are via the application, i.e. db authentication was not compromised. The application was the conduit to the data. One should NEVER do something just because it SEEMS LIKE A GOOD IDEA or IT'S A BEST PRACTICE. There should be some identification of the risks and their likelihood, then perform an analysis (might include identification of) of the mitigation methods. If you want what I like to call TRUE data at rest encryption then look for a storage solution that transparently encrypts the storage. If a drive is stolen or improperly disposed of and 'stolen' then the data is encrypted. I believe that database encryption at the database level is not cost (not just $) effective. And it surely does not magically make everything "good". I believe it's better to identify the risks around the database and work to mitigate those risks. The first risk is the one that exists in all models - the application level! Please know that I'm not being critical of database encryption. It is a valid method of data protection. I personally believe there are other methods that offer more for the cost in dollars, people time and complexity. More directly to your issue, if you have a chance to ask the assessor what risks the recommendation is intended to mitigate then you can then look at other methods to mitigate that risk. If the assessor did not say anything about your applications that integrate with your db then well... Hope this helps, Oscar -- NOTE: ASU ITS will NEVER ask you for your password in an email! Oscar D. Knight knightod at appstate dot edu ITS, Office of Information Security Voice: 828-262-6946 Appalachian State University, Boone, NC 28608 FAX: 828-262-2236 On Wed, Nov 11, 2020 at 9:42 AM Mattehew Prescott <matt.prescott () acu edu<mailto:matt.prescott () acu edu>> wrote: Does anybody do data at rest encryption on your databases, specifically Banner, Titanium, or SQL Server? How hard was it to implement? Did your DBAs push back? What tools did you use? This was an item that came up in one of our self-assessments. Thanks, Matt Prescott, Security Analyst Information Technology (o) 325-674-2882 Abilene Christian University [Abilene Christian University] ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Data at Rest Encryption Databases Mattehew Prescott (Nov 11)
- Re: [External] [SECURITY] Data at Rest Encryption Databases Oscar D. Knight (Nov 11)
- Re: [External] [SECURITY] Data at Rest Encryption Databases Jon Young (Nov 12)
- Re: [External] [SECURITY] Data at Rest Encryption Databases Barton, Robert W. (Nov 12)
- Re: [External] [SECURITY] Data at Rest Encryption Databases Jon Young (Nov 12)
- <Possible follow-ups>
- Re: Data at Rest Encryption Databases Smith, Jason (Nov 12)
- Re: Data at Rest Encryption Databases randy (Nov 12)
- Re: [External] [SECURITY] Data at Rest Encryption Databases Oscar D. Knight (Nov 11)