Infrastructure as a Service (IaaS) database deployment is one of the most common cloud implementations we encounter, yet cloud encryption for databases remains a complex challenge. We often get questions around cloud database encryption methods (row/column level, vs. full disk, vs. application level encryption), and I would like to spend some time reviewing pros and cons, as well as to discuss alternatives. While this blog post will not dive into technical details, we have written an in-depth analysis of MySQL cloud security which can be found here.
Regulatory compliance is a major driver for cloud encryption. There’s no doubt that encrypting private or regulated data is a must have in a cloud or virtualized environment, but what’s the best approach? On paper, field level encryption seems appealing. It encrypts only the specific classified information, and it provides great configuration flexibility (you can set specific encryption keys per row/field/column, etc.) The downside is complexity and performance. Row level encryption requires code changes to the application as well as a well-trained sys-admin to maintain and configure the application. With regards to performance, it’s no secret that row level encryption burdens the application’s compute resources, and has impact on the application’s performance (click here for an example) . A viable alternative to field level encryption is full disk encryption. Full disk encryption eliminates the complexity as it does not requires any code changes to the application, and is often better performing than field level encryption. The down side is that a sys-admin or a DBA can see the actual unencrypted data – but that can be easily resolved with proper permissions.
Regardless of the database encryption method you end up deploying, cloud key management is a significant issue which you should design into the cloud encryption solution. Traditional key management systems force a compromise between your data confidentiality and your cloud flexibility. We have described this issue in depth on this blog post, and it is important to state that there are viable cloud-friendly alternatives which allow enterprises to maintain data confidentiality while not compromising on core cloud values such as scaling or pay-as-you-go. One example of such technology is split-key encryption. As implied by its name, the technology is splitting an encryption key in two, one half; a “master-key” is known only to the end user and is never seen by the cloud provider, the second half key is different for each data object or virtual disk, and is stored by a patented Key Management Service. This approach guarantees that the data can never be seen by a cloud provider (as he does not hold the encryption keys), but at the same time, the encryption and key management service is scalable and integrative with the enterprise’s cloud of choice. Additional information about split-key encryption can be found on this white paper.
Subscribe to the blog to receive updates about:
AltaFlux understands what you and your organization need to excel, and can deliver rapid innovation to unleash your full workforce potential. Together, we can empower your business by streamlining, transforming, and optimizing your key HCM and talent processes with industry-leading SAP SuccessFactors technology—enabling you to adapt at the speed of change.
AltaFlux Corporation is a global HCM cloud consulting partner based in Troy, Michigan. We empower organizations by streamlining, transforming, and optimizing key human capital management (HCM) processes with industry-leading HCM cloud solutions like SAP SuccessFactors, Benefitfocus, WorkForce Software and Dell Boomi.