Quis custodiet ipsos custodes?
Who will guard the guards themselves? – Latin
Let’s talk a little about how data is most commonly leaked from a database.
The user.
Now to be really frank and honest, there is not much we can really do about loss of data via that method, other than getting a lot more strict with how we protect our data and who has access to it.
There are a variety of tools at our disposal to help isolate access to data but when we start looking at other ways data is stolen from companies things start getting tricky.
The key though, is that there is no single technology that will provide a complete solution, but rather a collection of technologies, designed to work hand in hand, to help secure the data.
The keys are looking at each aspect of the data.
[list_ordered] [li]Data Connection (in motion)[/li] [li]Data outside the DB (at rest)[/li] [li]Data inside the database (at rest)[/li] [/list_ordered]When dealing with data in motion you have to be aware of how the data is moved around. With SQL server, the connection from a client, by default, is not encrypted. This is something that should be looked at immediately for it is disturbingly easy for someone to sniff the packets of data moving around on a network and extract information. (Check out & attend our Hacking Exposé – Using SSL to Secure SQL Server Connections session if you haven’t yet)
When looking at data at rest, there are a few options.
Taking SQL Server out of the equation, there are tools such as Bitlocker for Windows, Linux built in encryption options, and FileVault. These tools can be used to encrypt folders or entire drives in your systems. That’s great for protecting drives that may be physically pulled out of a system and attempts made on a secondary system to read them. Let’s be real though. With the increased portability of devices with mass amounts of storage on them, it is more likely that someone will just take the whole system. In most cases, the keys tend to be already in place and if they can get past any startup requirements, they are in to everything as if it was a normal drive / directory.
Once they are past the first line of defense, then the data starts to really to be at risk.
Adding SQl Server back in, if they can login to SQL Server with integrated security, even if you have TDE, or column level encryption could they have access to the raw data. This is possible because most keys are stored with the databse itself, be it on a laptop for development purposes, or even on a server.
This means that TDE & column level encryption may not be able to protect your data properly.
Introducing an EKM to the equation
What protects the keys that protect your data?
An Extensible Key Management system (EKM for short) is a system that allows for the creation and management of keys away from the database. Traditionally any symmetric and asymmetric keys used by SQL Server reside in the databases themselves. EKM allows key creation, storage, encryption and decryption to be done outside the database using a Hardware Security Module, or HSM. An HSM is a hardware device that stored keys in hardware or software modules. This is ultimately more secure since they keys then don’t reside with the encrypted data. There are a variety of vendors that provide HSM systems (Townsend Security, SafeNet, Thales, etc.) . The problem is that these aren’t always cheap systems, and therefore not an immediate solution for a lot of smaller companies. The question then becomes one of how much is the protection of your data & your customer’s data worth.
How can EKM save the data world?
It can’t. not on its own anyways.
It needs to be combined with the other technologies we have to protect data.
If we look at just Windows & SQL Server, we have hashing, encryption, TDE, SSL, Bitlocker, Secured VPNs, etc.
SQL Server Enterprise edition also gives the option of integrating with an HSM/EKM system.
For example, access to the HSM/EKM systems could be restricted when connected remotely via VPN. Then when a laptop is stolen, it can’t connect to the HSM/EKM via the hacked external connection and the data can’t be decrypted. It may also be possible to very quickly remove access to the HSM/EKM system from a user account that may have been compromised.
Touching back to the setup and use of a EKM, as a DBA you may have full access to everything in the database system. There are many times that the information in a database may be sensitive, and therefore you, as the DBA, should not have access to the data. If using an HSM/EKM system, your access to the keys required to decrypt sensitive data can be restricted. You then don’t have to worry about accessing something you shouldn’t and can focus on doing the DBA job you need to. The separation of duties also eases the burden on the DBA by possibly transferring that responsibility to another team, such as a security or compliance team.
Introducing Azure Key Vault
Still in preview as of this posting, the Microsoft Azure Key Vault seems to possibly be a more affordable short-term EKM solution you can implement quite quickly. What is nice about this is it gives a cloud based solution for Azure, 3rd party cloud, & on premise applications to be able to use an EKM solution. The costs right now for using it are around $0.50 for a key, and $0.015 / 10,0000 operations. Operations can add up quickly though, but it still should not break the bank completely and seems to be giving a bit of a push against buying & managing your own HSM / EKM hardware. What will be interesting is to learn how access is controlled in case a system is stolen and tries to connect from outside the office. Keep an eye out for future posts from us as we look some more into this new Azure technology!
[divider_top][icon_box icon=”users” title=”Who is Chris Bell?”]Chris Bell, SQL Server MVP, MCSE & MCITP, is a 20 year veteran of using Microsoft products & SQL Server to create solutions for businesses, organizations and individuals. Chris speaks, blogs, writes articles and makes media of all kinds regarding SQL Server at WaterOxConsulting.com. Chris is also the founder of WaterOx Consulting, Inc. which features SQL Server consulting services along with the destination location week-long training series: SQL Summer Camp.
Click here to contact Chris or to follow him on twitter. [/icon_box]