Securing Enterprise Data in the Database

Sometimes protecting the communication channel to the database is not enough, and you may want to protect the data in the database itself. You can accomplish this protection by encrypting the data. There are two possibilities: symmetric encryption and asymmetric encryption.

Symmetric encryption uses a key stored in the application to access the database and its data. This way if the database itself is compromised, the information is not available. The main requirement for this type of database encryption is that the application itself is secured. If the application is compromised, the attacker is able to obtain the symmetric key to decrypt the data. Asymmetric encryption uses both public and private keys. You use this method when you need to protect your data from both the database and the application being compromised.

Using encryption is expensive - the data needs to be decrypted before it is processed . This removes some of the advantages of using a database, such as being able to use SQL statements to perform searches. Setting database permissions goes a long way to protect your data from undesired requests .

In addition, you have the option to create a read-only or write-only database. For instance, many online stores use write-only databases to store credit card information.

The connection management to the database is frequently left to the application server. Chapter 29 presents some frequently used application servers and their security.