TDE | Application-level encryption | Storage (unstructured data) encryption |
Database-only encryption | Any data encryption | Any data encryption, including disk and partitions |
Data is encrypted and decrypted on the database (e.g. server-side), hence when sent out, it’s decrypted | Data is encrypted and decrypted on the application (e.g. client-side), hence when sent out of the database, it’s encrypted | Data is encrypted and decrypted in the storage layer, decrypted when pulled out |
Encryption keys are managed by the database | Encryption keys are managed by the application | Encryption keys are managed in the storage layer |
Can encrypt/decrypt columns, table or entire database | Can encrypt/decrypt columns, table or entire database | Cannot encrypt/decrypt table or column |
Doesn’t require any change to the applications authorized to access/query the database | Requires change to applications for encrypt/decrypt and access controls. This is app specific, manual, and time consuming. | Doesn’t require any change to the applications authorized to access/query the database |
Utilizes common encryption protocols (e.g. PKCS#11, KMIP) | Utilizes REST APIs and if applicable common encryption protocols (e.g. PKCS#11, CNG, JCE) | Utilizes common encryption protocol (KMIP) and if applicable REST APIs |
The table below summarizes where each encryption method applies.
Encryption Level | TDE | App-Level Encryption (incl. tokenization) | Unstructured Data Encryption (EDW) |
User space | |||
Field/Column/Cell | |||
Table | |||
File / Database | |||
Folder | |||
OS Level | |||
File System | |||
Volume | |||
HW / Sub-OS level | |||
Partition | |||
Disk |
The stored data in databases and data-warehouses need to be encrypted at all times, yet securely accessible upon demand.
However, when the volume of data and their distribution grows, and the varied use-cases and applications that need to access that data also multiply, existing and legacy solutions fail:
The complexity and lack of adequate scalable solutions leads to a situation where the encryption keys are typically stored in software only stores — a clear security risk.
Fortanix Self-Defending KMS provides next-generation solution encompassing all the needs of data encryption, in a single, easy to use solution and with minimal TCO. Fortanix Self-Defending KMS was designed to serve the needs of modern, distributed, agile and hybrid IT environments.
All three encryption methods (and more) are delivered using one centrally managed solution. No specific-use-case clients (e.g. file encryption, TDE, app encryption) are required. Fortanix Self-Defending KMS removes the OS and application dependency (and complexity) by using REST APIs and standard cryptographic interfaces. All of our APIs and cryptographic interfaces are provided free of charge, for any number of users or applications.
Delivered as a service in a number of deployment and provisioning models, Fortanix Self-Defending KMS can easily adapt to any requirement and any deployment scenario.
Fortanix Self-Defending KMS features strict role-based-access-control and segregation of users and roles allowing customers to be confident with the security and privacy of their data in any hosted environment, while enabling compliance with regulations, such as, GDPR.
Fortanix’ core design principle is simplicity. Above all, simplicity means better security.