Data protection in the database – TOP-5 myths
The main element of any IS (information system) is a database (or DBMS), and, as we know, modern business is quite dependent on its IS.
A proven axiom – the more successfully an organization uses information, the more successful its business becomes. However, the ever-increasing number and importance of IP threats hinders the successful use of information, i.e. information security threats directly affect business performance.
First of all, it is necessary to talk about the threats of leakage and subsequent compromise of information from the organization’s systems, i.e. leaks from the DBMS. It should be noted that the absolute set of attack scenarios on IS fits into one canvas – an attacker’s attempts to find and use system vulnerabilities, maximize privileges and then steal an array of confidential or valuable information. That is why the topic of leakage prevention is acute and relevant for any IP owner.
The most effective “weapon” for countering leaks is cryptographic protection of information, but the whole problem is that it is necessary to encrypt information in a complex technological database environment.
Exactly technological complexity gave rise to a number of “myths” about the impossibility or even great difficulty of encrypting information in a DBMS.
Today we will analyze the most common misconceptions and show how to solve it simply and effectively “complex“database security tasks on the example of a security system Crypto DB…
Myth number 1. “I cannot use cryptographic protection, because I have to encrypt all the information in the DBMS, this will break the system“.
In fact, this is the case: the most common DBMS platforms allow the use of built-in encryption mechanisms, but such mechanisms are not functionally developed, and therefore you have to encrypt the entire system giant tables.
Thus, the consequences can be a deep drawdown in the performance of the DBMS server. However, if you use professional tools, for example, the Crypto DB system, then the possibilities will open up on a completely different level. The Crypto DB system settings are capable of extremely flexible defining the object of protection, while only a certain set of columns of the DBMS table will be protected. In practice, valuable information is no more than 20% of the total information array. If it is possible to protect only valuable or confidential information, then this will significantly save on the resources of the DBMS server and not break the IS.
Myth number 2. “Using a professional DBMS encryption system will require a significant restructuring of business applications for the protected system“.
The complexity of information processing in modern business applications really requires a high degree of adaptability from the applied security tools. The Crypto DB program code is written in the “native” language of a specific DBMS platform, this allows you to run the protection tool in the DBMS environment and provides the maximum degree of transparency for all business applications that process the protected information. Therefore, in most of the implementation scenarios of the Crypto DB, no improvement of business applications is required.
Myth number 3. “Working with encrypted information will confuse users of the system and reduce their efficiency“.
As mentioned earlier, the Crypto DB system implements the maximum level of transparency, but not only at the technological and system levels, but also at the user level. The users themselves are not involved (do not participate) in the protection process. After the usual authorization by login and password or authentication using a USB token, the user, as before, works with the familiar interface of the business application. There are no visual signs of the operation of the protection system. In this case, for unauthorized users, the system will display information masks that are “comfortable to the eye”. Masks can be both symbols *** and more complex combinations, for example, an arbitrary number in the format of a passport number and series. With such a level of adaptation of the Crypto DB system to the needs of business processes, there is no confusion and performance degradation.
Myth number 4. “To configure and maintain the encryption system, you need an ultra-expensive cryptographer, preferably with a physics and mathematics education“.
Due to the fact that the Crypto DB system is a means of cryptographic protection certified by the FSB of Russia, a competent specialist is really needed to install, configure and maintain it, only not in the field of cryptography, but in the field of information security. Correct definition of the object of protection, reasonable formation of access policies to protected information, audit skills and incident investigation – these are the few abilities that a Crypto DB system administrator (IS Administrator) should have. In terms of knowledge of cryptography, there will be enough basic basics and minimal skills, which is the de facto standard for any modern information security specialist.
Myth number 5. “If the encrypted database is stolen, it can be decrypted, because the capabilities of modern computers are impressive“.
The Crypto DB system was created on the basis of the main scenario of a possible leakage of encrypted information, therefore, the system implements all the requirements of domestic standards in the field of encryption and uses strong cryptographic GOST algorithms, and the protection tool itself is certified by the FSB of Russia as a means of cryptographic protection at the level KS1-2, KS- 3. What does this mean? This suggests that the cost of the stolen information will certainly be less than the mathematically determined cost of decryption, because the process of finding the key will take tens of years, even taking into account the promising opportunities for increasing the performance of modern computers. It is enough to imagine only one of the many methods used by the Crypto DB for data encryption – diversification of the encryption key for each subsequent block of protected information. Those. an attacker will be forced to launch a search process for a key sequence of characters for each piece of 512 bytes of protected data. It is almost impossible to imagine the success of cryptanalysis of a 100 MB array in such conditions.
Undoubtedly, the need to use encryption tools in a DBMS will be associated with a number of practical problems, the correct solution of which will require conscious and focused attention. Protection of this level does not work “out of the box”, therefore, in subsequent posts we will analyze the practical aspects of using the Crypto DB system to prevent information leaks from databases.