I've wanted to write this post for ages, but it wasn't really appropriate whilst working for an encryption and key management company. I wrote earlier about the need for DAM - something which Rich Mogull talks about a great deal and extremely well. But whereas Rich tends to look at it from every possible angle, and how to decide which one to pick, I have one very specific point to make, and have a good idea what I like already based on the people I've spoken to in the industry.
If you've encrypted your databases already, don't get complacent, you still aren't safe. Yes, you are compliant, but if you were worried about your DBA being nasty enough to steal data in the first place, you haven't done anything he can't get around by using encryption. Even if the whole thing is set up properly, consider for a moment how your encryption solution works:
Does it rely on views and triggers, or does it encrypt the underlying files? If the latter, it was never securing anything other than the files and the DBMS could be full of holes, they often are. The data is still in the clear once the database is running, and the DBA has no harder time fiddling things than if the database was unencrypted.
If the former, think what's happening here:
When you encrypt a column in a database, you are encrypting the underlying table, removing the plaintext data, and putting in a view of the underlying table. Depending on the applied policy, this either gives you cleartext data out, or an encrypted reply/default message/chosen error.
Now, consider the fact that you are protecting against the DBA. That DBA has access to all the tables, views and triggers in his database, even if he can't access the encrypted data. What happens if the DBA writes into the views a simple few lines of code such that when a legitimate user of cleartext data access it, it writes that data to a file? The DBA then not only has the original data, but he has it in a separate location to the 'sensitive' data, in an unprotected file which he can then walk off with.
There are only 2 ways to protect against this:
1. DLP - anyone want to choose one after the dazzling array you've seen this week? I certainly don't. It would be a toss-up between Vontu or Vericept I think, but I'd need a PoC.
2. DAM - The stuff out there is of variable quality. Products like Guardium and Imperva have their place, but the killer app for me in this space still has to be Secerno. Much cleverer and better produced. I'm still waiting for this to hit the big time having picked it out at InfoSec last year. I think we'll be seeing a lot more of these guys.
I just hope Oracle/Microsoft/Google/Symantec doesn't buy them first.
No comments:
Post a Comment