Abstract

As databases become networked in more complex multi-tiered applications, their vulnerability to external attack grows. We address scalability as a particularly vital problem and propose alternative solutions for data encryption as an enterprise IT infrastructure component. In this paper, we explore a new approach for data privacy and security in which a security administrator protecting privacy at the level of individual fields and records, and providing seamless mechanisms to create, store, and securely access databases. Such a model alleviates the need for organizations to purchase expensive hardware, deal with software modifications, and hire professionals for encryption key management development tasks. Although access control has been deployed as a security mechanism almost since the birth of large database systems, many still look at database security as a problem to be addressed as the need arises – this is often after threats to the secrecy and integrity of data have occurred. Instead of building walls around servers or hard drives, a protective layer of encryption is provided around specific sensitive data items or objects. This prevents outside attacks as well as infiltration from within the server itself. This also allows the security administrator to define which data stored in databases are sensitive and thereby focusing the protection only on the sensitive data, which in turn minimizes the delays or burdens on the system that may occur from other bulk encryption methods. Encryption can provide strong security for data at rest, but developing a database encryption strategy must take many factors into consideration. Different stored data encryption strategies are outlined, so you can decide the best practice for each situation, and each individual field in your database, to handle different security and operating requirements. Application code and database schemas are sensitive to changes in the data type and data length. the paper presents a policy driven solution that allows transparent data level encryption that does not change the data field type or length.

Keywords:   Isolation, Intrusion Tolerance, Database Security, Encryption, Privacy, VISA CISP, GLBA, HIPAA.

1 Introduction

Although access control has been deployed as a security mechanism almost since the birth of large database systems, for a long time security of a DB was considered an additional problem to be addressed when the need arose, and after threats to the secrecy and integrity of data had occurred [23]. Now many major database companies are adopting the loose coupling approach and adding optional security support to their products. You can use the encryption features of your Database Management System (DBMS), or perform encryption and decryption outside the database. Each of these approaches has its advantages and disadvantages. Adding security support as an optional feature is not satisfactory, since it would always penalize system performance, and more importantly, it is likely to open new security holes. Database security is a wide research area [26, 23] and includes topics such as statistical database security [21], intrusion detection [34], and most recently privacy preserving data mining [22], and related papers in designing information systems that protect the privacy and ownership of individual information while not impeding the flow of information, include [22, 23, 24, 25].