Skip to content

Data Security

  • Keeping data secured at various stages: At-rest, in-transit or in-use.
    • In-use refers to using tokens in place of actual data
  • Main security mechanisms are Encryption, Tokenization and Masking
    • Unlike encryption, tokenization is non-mathematical, that preserves type and length of data
    • Tokenization works by creating a surrogate for PAN (Primary Account Number)
      • High Value Tokens HVT look like PANs, are format preserving, multiple HVTs can map back to a single PAN
      • Low Value Tokens LVT can only be used in limited context and thus cannot be used wherever PANs can be used
  • Encryption and Security
  • PII data can include direct and indirect identifiers
    • direct identifiers are SSN, Emp-ID, Phone#, Address etc
    • indirect identifers are: occupation, race, location, criminal history
      • if narrow enough, they can identify people. Eg CEO of the company as occupation
  • De-identification involves changing PII data so that it doesn't reveal identity
    • By Generalization: eg. changing date/month of DOB. Retains some truth to actual data
    • By Suppression: eg. substituting NULL for sensitive data

Full Disk Encryption

  • Data Encryption Key DEK is a key that resides on the drive all the time and used for all encryption
  • Drive Lock Key is supplied by the Initiator that allows access to the drive
    • Drive Lock Key is maintained on the Disk Array and are usually backed up to a host
  • Authentication Key AK when supplied is hashed by storage system to decrypt the drive DEK
  • Decommissioned drive cannot be unlocked without AK+passphrase, or by changing drive DEK

Security Framework

  • Data classification
  • Identifying and classifying users (vendor, employee, privileged, disgruntled etc), source system (IPs)
  • Access control
  • Access auditing
  • Encryption
    • Key management
  • DR Planning
  • Compliance reporting

SQL Server Encryption

  • Encryption Mechanisms
    • Transact-SQL Functions: EncryptByPassphrase and DecryptByPassphrase
    • Certificates: contain public key signed by a trusted CA
    • Asymmetric Keys: are used for encrypting symmetric key for storage in database
    • Symmetric Keys: Used for encrypting database
    • Transparent Data Encryption: A special case of Symmetric Key encryption
  • Encryption is hierarchical
    • Windows (DPAPI) -> Service Master Key (SQL Server Instance Level) -> Database Master Key (for master database) => Certificate -> Database Encryption Key (for user database)

Transparent Data Encryption TDE

  • Entire database is encrypted with Database Encryption Key DEK
  • Backups are also encrypted => restore requires availability of server certificate
  • DEK is protected by other keys or certificates
  • Other keys or certificates are protected by Database Master Key or an asymmetric key stored in an EKM module
  • Encryption happens at page level without increasing size of the database