INTRODUCTION
Encryption can provide strong security for data at rest, but developing a database encryption strategy must take many factors into consideration. Organizations must balance between the requirement for security and the desire for excellent performance.  Encryption at the database level, versus application level and file level has proved to be the ideal method to protect sensitive data and deliver performance. There are a multitude of architectures and techniques to improve performance: the alternatives fall into two broad categories – alternative topologies to decrease encryption overhead and techniques to limit the number of encryption operations. In addition, performance and security, in real-world scenarios, are complex issues and experts should be used who understand all available options and the impact for each particular customer environment. Every organization must protect sensitive data or suffer potential legislative, regulatory, legal and brand consequences.  Relying on perimeter security and database access control does not provide adequate security.  Packaged database encryption solutions have proven to be the best alternative to protect sensitive data. This is a specialized and complex solution area and if internal resources don’t have the cryptography expertise in relation to IT environment, outside expertise should be used to ensure superior performance. This paper reviews the performance aspects of three dominant topologies for database encryption. This paper offers detailed guidance on scalable implementations of data at rest encryption in an enterprise environment, including encryption, key management, backup, auditing and logging should be deployed to optimize security, performance, scalability, and administration.

BEST PRACTICE
Building and maintaining a secure and efficient cryptographic engine is not the easiest task. The best practice, in nearly all cases, is to use an engine that’s already available and tested. In a straight comparison of costs, Local Encryption Services are generally cheaper but not secure. Dedicated Encryption Services provides high availability with key caching and real cpu offloading. Benchmarks in customer environments demonstrated the criticality of making the right selection between the different topologies for database encryption implementations.  A central topology benchmarked decryption of only a few hundred database rows per second and a more distributed hybrid topology benchmarked in the range of million rows per second, typically needed in environments with a high volume OLTP or parallel systems for decision support.  Be aware that exposing encryption services as a network resource will introduce an additional point of attack, and very limited scalability in a database environment. Private keys should be stored encrypted with several AES encryption keys that are nested  within a hierarchy in which each key is protected by a parent key. This multi-layer hierarchy of keys ensures the highest level of protection against attack. Engines come in three flavors: central, local and dedicated. Not protected properly, stored unprotected in a software environment, and unprotected in server memory, keys are vulnerable to discovery. What’s needed? The best protection against private key compromise is a combination of physical security and key management technology, including stringent security standards throughout the private key lifecycle.

DATA AT REST ENCRYPTION - DIFFERENT APPROACHES HAS ITS ADVANTAGES AND DISADVANTAGES
There are many architectures, techniques, and tools available to Security and IT organizations to ensure security and performance are balanced and optimized. Each of these approaches has its advantages and disadvantages. Database security is a wide research area [26, 23] and includes topics such as statistical database security [21], intrusion detection [34], and most recently privacy preserving data mining [22], and related papers in designing information systems that protect the privacy and ownership of individual information while not impeding the flow of information, include [22, 23, 24, 25]. Prior work [7] [2] does not address the critical issue of performance. But in this work, we have addressed and evaluated the most critical issue for the success of encryption in databases, performance. To achieve that, we have analysed different solution alternatives. Each topology effects security and performance differently and has advantages and disadvantages.