Information security professionals should start considering cryptographic approaches to protect enterprise data and mitigate database breaches. System security in layers provides an approach for many organizations today. However, these approaches depend on human factors. Cryptographic measures ensure that databases are protected even if a database is stolen or there is an insider attack.
Professionals need to start today by evaluating and building cryptographically secure databases. By starting now, professionals will be able to accurately assess the impact, development requirement, operational support and costs. Then, an accurate model can be shared with management to deploy into the enterprise environment.
At first glance, it seems paradoxical to encrypt data yet perform queries. How will an analyzer read or compute the data when the data are encrypted? Fortunately, advances have been made in cryptography research that enable analysis and computation on encrypted data. One approach is to encrypt the data and then compute over the encrypted data. Thus, only the resulting output is revealed rather than requiring the database to be stored in plaintext. Another approach is to have onion layering, whereby unmodified Structured Query Language (SQL) queries are executed over the encrypted data. However, the data have particular encryption to enable range queries, sorting and filtering.
A more recent approach is to enable learning over privatized data. No encryption needs to be performed, nor is there any key management required. Privatized data are stored in such a way that in the event of a breach, there is no personally identifiable information that is leaked.
Given the multitude of recent advances in cryptography and privacy techniques, there is little reason that data should be stored in plaintext. Security professionals must protect databases from external and internal threats. There is a small performance penalty that must be paid to achieve this notion of stronger security. Encryption or privatization must be performed up front. Subsequent processing and analysis will be over the encrypted or privatized data. However, the net benefit is a significant improvement in security defenses and no more plaintext databases.
Read Josh Joy’s recent Journal article:
“Toward Encrypted and Private Databases,” ISACA Journal, volume 1, 2018.