Transparent Data Encryption (TDE) is a feature provided by the majority of database vendors in the market. All providers utilize two keys per database, a DEK, or Data encryption Key, and a KEK, or key encryption key (some vendors might call it the Master Key).
A database encryption key encrypts the whole database at the file level, without any special code modifications. These keys are stored in the database by design and cannot be changed, this means that the DEK always follows the database.
An internal or external bad actor now has the ability to build another SQL server outside your own network and the database can be restored or opened (steal now, decrypt later).
Another challenge customers can face is around governance, risk or compliance requirement to rotate keys. Rotating DEKs create overhead since they require full re-encryption of data. In the cloud, AWS/Azure/GCP also charge you for all those re-write actions, which can inflate your cloud bill.
Is There a Better Way?
KEKs, or Key Encryption Keys, were designed by database providers to mitigate the previously stated issues. A KEK is used to encrypt the DEKs which creates separation of duties in the database so the DB team cannot access the database without the KEK. The two types of KEKs are an RSA encryption key or a certificate.
While certificates are recommended by Microsoft Help to act as a KEK, there are some noteworthy shortcomings. Certificates are susceptible to being stolen as they are typically stored in, and/or near the database.
Another shortcoming of certificates is that they are also stored in the Master Database which can be restored to a local folder of choosing for anyone with privileged access (and bad intent) to gain access and use.
Utilizing an RSA KEK has similar challenges when stored locally.
However, when you are creating and storing your KEK in an external Hardware Security Module (HSM), this becomes a much better solution. By leveraging a modern HSM, you can utilize RBAC (role-based access control) to securely control access to the DEKs.
This method is superior to a certificate or local RSA key, which has no way of distinguishing different users, no central logging, and even worse, you have no way to see if there were multiple copies of a certificate created or compromised. Certificates also expire, leading to potential down time.
Why Fortanix?
Fortanix Secures the KEK in an HSM so that the KEK never leaves the boundary of our FIPS 140-2 L3 HSM, which answers another growing requirement for customer governance compliance and risk initiatives.
The KEK cannot be copied outside of the HSM so someone attempting to access a database would have to come from inside the customer’s network. Fortanix’s Data Security Manager platform employs robust logging which includes the IP addresses of systems accessing the key with a Zero Trust approach to validate only those that should have access to the key, have access to the key.
Customers can also protect the key from malicious or accidental deletion by using a quorum policy that requires multiple users' approval for both deletion of keys and with some database servers, even restoration of a database.
Benefits of Using Fortanix External HSM-Backed KEK
The Fortanix Data Security Manager provides an integrated key management and hardware security module (HSM) solution designed to support database encryption across multiple datacenter sites, public cloud, and database vendors.
Here are seven benefits of utilizing Fortanix HSM backed Key Encryption Key-
- Per NIST guidelines, you can achieve separation of keys from the data.
- You can achieve key rotation for GRC needs without performance or increased cloud costs allowing for more frequent key rotation, if desired.
- RBAC of who can restore a database.
- Protection from accidental and malicious key deletion, copying of keys, and making it impossible to steal keys from memory with Fortanix Confidential Computing technology.
- The future of Zero Trust is behavioral based analytics. Fortanix provides Tamper Proof Audit logging, to provide visibility into key usage patterns, IP address and user access.
- Move away from expiring Certificates which can lead to database outages.
- With Fortanix, you can also automate the rotation of the RSA keys.
Conclusion
The proliferation of data privacy regulations, the increasing risk of data breach, and the migration of databases to public cloud are driving many organizations to implement database encryption more broadly. While most databases offer integrated encryption capabilities, the security and compliance of the database relies on secure storage, policy management and audit logging of database encryption key access.
Fortanix Data Security Manager is helping companies to implement database encryption more broadly at the cell, column, row, table, and entire database levels, in response to the proliferation of data privacy regulations, the increasing risk of a data breach, and the migration of databases to public cloud - across common types of enterprise databases.