Data-at-rest Encryption with Fortanix Self-Defending KMS
Data-at-rest encryption relates to a number of encryption methods, applied to different types of data stored across the IT stack in an enterprise environment. Three broad categories can be used to explain data-at-rest encryption corresponding to different levels or layers where the encryption is performed, and where the keys and data are stored:
- Transparent Data Encryption (TDE)
- Application-level encryption
- Storage encryption (e.g. data-warehouses and data-lakes, unstructured data of all sorts)
Key differences between data-at-rest encryption methods
| TDE | Application-level encryption | Storage (unstructured data) encryption |
| Database-only encryption | Any data encryption | Any data encryption, including disk and partitions |
| Data is encrypted and decrypted on the database (e.g. server-side), hence when sent out, it’s decrypted | Data is encrypted and decrypted on the application (e.g. client-side), hence when sent out of the database, it’s encrypted | Data is encrypted and decrypted in the storage layer, decrypted when pulled out |
| Encryption keys are managed by the database | Encryption keys are managed by the application | Encryption keys are managed in the storage layer |
| Can encrypt/decrypt columns, table or entire database | Can encrypt/decrypt columns, table or entire database | Cannot encrypt/decrypt table or column |
| Doesn’t require any change to the applications authorized to access/query the database | Requires change to applications for encrypt/decrypt and access controls. This is app specific, manual, and time consuming. | Doesn’t require any change to the applications authorized to access/query the database |
| Utilizes common encryption protocols (e.g. PKCS#11, KMIP) | Utilizes REST APIs and if applicable common encryption protocols (e.g. PKCS#11, CNG, JCE) | Utilizes common encryption protocol (KMIP) and if applicable REST APIs |
The table below summarizes where each encryption method applies.
| Encryption Level | TDE | App-Level Encryption (incl. tokenization) | Unstructured Data Encryption (EDW) |
| User space | |||
| Field/Column/Cell | |||
| Table | |||
| File / Database | |||
| Folder | |||
| OS Level | |||
| File System | |||
| Volume | |||
| HW / Sub-OS level | |||
| Partition | |||
| Disk | |||
Problem:
The stored data in databases and data-warehouses need to be encrypted at all times, yet securely accessible upon demand.
However, when the volume of data and their distribution grows, and the varied use-cases and applications that need to access that data also multiply, existing and legacy solutions fail:
- Their performance is limited
- They cannot cluster nor scale well to adapt to clustered databases or geographically distributed data-stores
- They are broken to disparate standalone solutions, further complicating the challenge, as typically more than one solution is required (e.g. TDE and tokenization).
The complexity and lack of adequate scalable solutions leads to a situation where the encryption keys are typically stored in software only stores — a clear security risk.
Fortanix Self-Defending KMS changes that status-quo
Fortanix Self-Defending KMS provides next-generation solution encompassing all the needs of data encryption, in a single, easy to use solution and with minimal TCO. Fortanix Self-Defending KMS was designed to serve the needs of modern, distributed, agile and hybrid IT environments.
All three encryption methods (and more) are delivered using one centrally managed solution. No specific-use-case clients (e.g. file encryption, TDE, app encryption) are required. Fortanix Self-Defending KMS removes the OS and application dependency (and complexity) by using REST APIs and standard cryptographic interfaces. All of our APIs and cryptographic interfaces are provided free of charge, for any number of users or applications.
Delivered as a service in a number of deployment and provisioning models, Fortanix Self-Defending KMS can easily adapt to any requirement and any deployment scenario.
Fortanix Self-Defending KMS features strict role-based-access-control and segregation of users and roles allowing customers to be confident with the security and privacy of their data in any hosted environment, while enabling compliance with regulations, such as, GDPR.
Fortanix’ core design principle is simplicity. Above all, simplicity means better security.
Available technical resources:
- Using Fortanix Self-Defending KMS with Oracle TDE
- Using Fortanix Self-Defending KMS with Microsoft SQL Server TDE
- Using Fortanix Self-Defending KMS for MongoDB Encryption at Rest
- Using Fortanix Self-Defending KMS as a KMS to secure VMware virtual environments
- Using Fortanix Self-Defending KMS for MySQL Encryption at Rest
2nd Floor, Enzyme Tech Park, 1604, 22nd Cross, HSR sector 2, Bengaluru 560102, Karnataka, India+91-9731027167
30 Cecil str #19-08 Prudential TowerSingapore 049712
Subscribe to Fortanix e-mail list
(Couple of emails per month, we promise).