Blog/Infosec 101/

Database encryption: a key part of web security

Jun 01, 2020

database encryption

Database. Doesn't this word make you yawn?

Da-ta-base. It sounds flat and boring. But think about the secrets databases keep: names, passwords, recovery questions, addresses, bank deposits. And they can get much more complex. That’s why they are hackers’ favorite midnight snack. Database encryption is meant to protect us. But does it?

Database 101: types of databases

Before we talk about encryption, let’s quickly cover databases and how they are used.

For a long time, the market was dominated by SQL databases. SQL, which stands for Structured Query Language, is a language used to manage relational databases, which deal with highly structured data. We’ll give you a simple example.

Imagine a table tracking daily calorie consumption with columns for days and calories. A similar database could track meals or distance walked. A database management system (DBMS) can connect many such databases and answer extremely precise queries. Think about the apps you use daily like a task manager. If you wanted, you could filter our undone, medium-priority tasks that were due last week and are tagged as Family. That’s the power of databases.

Now there’s a growing interest in a new database type that is called a NoSQL database. These are non-relational databases. They don't require data to be as structured as in SQL.This method works better for big data and real-time web applications like Facebook or Amazon.

Lastly, it’s worth mentioning another new type of database. It combines the power of SQL structure with the speed and scalability of NoSQL databases. It’s called a NewSQL database. The way NewSQL is being developed can prove to be a revolution for dealing with lots of live data.

What is database encryption?

If you’re using NordLocker, you may think of encryption as putting a file into a digital safe until you need it. Database encryption works differently because the information in the database is constantly modified.

You have three types of data:

  • Data at rest - information in the database that is not being used.
  • Data in transit - data that was taken from the database and is sent through the network.
  • Data in use - active data which is typically stored in RAM or CPU cache.

These days, we’re dealing with incredible amounts of data. We’re talking yottabytes of information that Google, Amazon, Facebook, and governments hold on us. Since hackers know about all this data, they will try to get their hands on it.

You would assume anyone sitting on a goldmine of data knows about the threats. Sadly, we see way too many vulnerabilities on this front. But those who encrypt their databases use encryption either on the application level, system level, or network level. Preferably, a combination of all these.

Types of database encryption and their impact on performance

Application encryption

There are several methods that use API encryption (Application Programming Interface encryption). They are all similar and work with many database management systems. However, this kind of encryption requires a lot of manual management. As a result, API encryption can be suitable for small companies but can be very time-consuming when there’s big data involved.

Plug-in

When it comes to plug-in or package encryption, an independent encryption module is attached to the application. Column-level encryption is commonly used for the Plug-in method. Which means that instead of a single key to encrypt and decrypt the whole database, each column has its own security key.

Extra processes will eat up more computing power. On the plus side, you can select which columns hold sensitive information and, thus, need to be encrypted, and which do not.

TDE method

For TDE, or Transparent Data Encryption method, an encryption engine is installed into the database engine. The main advantage of TDE is system-level database encryption. Not only that makes administration much easier, but TDE also protects all data, even backups. Note that TDE is used only for Data at Rest (inactive data).

It’s clear that one layer of database encryption is not enough. Each comes with advantages. Some are more secure, others go easier on the computer resources.

Regardless of what you use today, remember that database management systems change. Whatever happens, database security should always be your #1 priority.

Elisa Armstrong

Elisa Armstrong

Verified author

Elisa’s all about languages. She speaks five, loves stand-up comedy, and is writing her first novel. Besides her extensive knowledge of cybersecurity, she’s an expert in persuasion techniques hackers use and strives to teach people how to avoid online scams.