Blue Oasis Technologies, Inc 2005 1 Data Security - Encryption Strategies for Data at Rest Protecting Enterprise DBMS Data.
Post on 26-Dec-2015
214 Views
Preview:
Transcript
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
11
Data Security - Encryption Data Security - Encryption Strategies for Data at RestStrategies for Data at Rest
Protecting Enterprise DBMS Protecting Enterprise DBMS DataData
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
22
Presenter BackgroundPresenter Background• Michael McGrattan - CISSP, PMP, OCPMichael McGrattan - CISSP, PMP, OCP
– Director of Data Management Director of Data Management – Blue Oasis TechnologiesBlue Oasis Technologies
• 12 years of Information Technology 12 years of Information Technology experienceexperience– Data ManagementData Management– Information SecurityInformation Security– Corporate ComplianceCorporate Compliance
• Currently working on Sarbanes-Oxley IT Currently working on Sarbanes-Oxley IT General Computer Control (Section 404) General Computer Control (Section 404) compliance with Fortune 500 company.compliance with Fortune 500 company.
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
33
Presentation OverviewPresentation Overview• Electronic DataElectronic Data
– Structured (predetermined data types and understood Structured (predetermined data types and understood relationships - i.e. data stored and managed by a DBMS)relationships - i.e. data stored and managed by a DBMS)
– Unstructured (no conceptual definition and no data type Unstructured (no conceptual definition and no data type definition – i.e. data stored in a document or email message)definition – i.e. data stored in a document or email message)
• Primary StatesPrimary States– ““Data at Rest” – persistent data residing on storage Data at Rest” – persistent data residing on storage
mediamedia• Desktops/LaptopsDesktops/Laptops• Email serversEmail servers• File serversFile servers• Database Management Systems (DBMS)Database Management Systems (DBMS)
– ““Data in Transit” – data moving across the networkData in Transit” – data moving across the network• Within the Data CenterWithin the Data Center• Within the internal Corporate networkWithin the internal Corporate network• External to the Corporate networkExternal to the Corporate network
• What are we going to discuss today?What are we going to discuss today?– Encrypting structured “Data at Rest” in enterprise DBMSEncrypting structured “Data at Rest” in enterprise DBMS
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
44
PART 1PART 1
Database Encryption Database Encryption ArchitecturesArchitectures
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
55
Business DriversBusiness Drivers• Current State, Federal, and Industry LegislationCurrent State, Federal, and Industry Legislation
– California Senate Bill No. 1386 (SB1386)California Senate Bill No. 1386 (SB1386)– Health Insurance Portability and Accountability Act Health Insurance Portability and Accountability Act
(HIPAA)(HIPAA)– Gramm-Leach-Bliley Act (GLBA) Gramm-Leach-Bliley Act (GLBA) – Visa's Cardholder Information Security Program (CISP)Visa's Cardholder Information Security Program (CISP)– PCI Data Security StandardPCI Data Security Standard
• Future LegislationFuture Legislation– S.1350 – “Notification of Risk to Personal Data Act”S.1350 – “Notification of Risk to Personal Data Act”
• Corporate PoliciesCorporate Policies
• Defense in Depth ProgramsDefense in Depth Programs
• Segregation of DutiesSegregation of Duties
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
66
Primary ObjectivesPrimary Objectives
• Ensure confidentiality of dataEnsure confidentiality of data
• Minimize performance and operational Minimize performance and operational impactsimpacts
• Maximize application transparencyMaximize application transparency
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
77
Breaches in Data SecurityBreaches in Data Security• HackingHacking
– DSW - Database breach – 1.4 million credit card transactionsDSW - Database breach – 1.4 million credit card transactions– CardSystems – Database breach – 40 million credit card customersCardSystems – Database breach – 40 million credit card customers
• Cons and ScamsCons and Scams– BofA - Insider information – 676,000 bank customersBofA - Insider information – 676,000 bank customers– ChoicePoint – Imposters – 145,000 financial accountsChoicePoint – Imposters – 145,000 financial accounts
• Lack of CareLack of Care– CitiFinancial - Lost parcel of tapes – 3.9 million customersCitiFinancial - Lost parcel of tapes – 3.9 million customers
• Stolen HardwareStolen Hardware– UC Berkeley - Stolen laptop – 98,400 graduate studentsUC Berkeley - Stolen laptop – 98,400 graduate students– Time Warner – Stolen backup tapes – 600,000 employeesTime Warner – Stolen backup tapes – 600,000 employees– MCI – Stolen laptop – 16,500 employeesMCI – Stolen laptop – 16,500 employees
* Personally* Personally– Undergraduate College – disclosure of SSN and personal infoUndergraduate College – disclosure of SSN and personal info– LexusNexus – disclosure of SSN and personal infoLexusNexus – disclosure of SSN and personal info
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
88
Encryption Architecture Encryption Architecture OverviewsOverviews
• Essential to categorize architecturesEssential to categorize architectures– Clarifies market solutionsClarifies market solutions– Different technical, operational, and procedural Different technical, operational, and procedural
issuesissues– Enforces understanding for all stake-holders Enforces understanding for all stake-holders
• Categorization criteria for today’s discussionCategorization criteria for today’s discussion– ““Initiation point of cryptography processing”Initiation point of cryptography processing”
• 3 Categories of Architectures3 Categories of Architectures– ApplicationApplication– Database (DBMS)Database (DBMS)– Operating SystemOperating System
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
99
Application Encryption Application Encryption ArchitecturesArchitectures
• ““Initiation point” at application layerInitiation point” at application layer
APP LAYER
• AdvantagesAdvantages– Addresses wide-range of confidentiality threatsAddresses wide-range of confidentiality threats– Granular encryption controlGranular encryption control
• DisadvantagesDisadvantages– Not application transparentNot application transparent– Inability to support all “touch points”Inability to support all “touch points”
OS LAYER
CryptoServices
Crypto API
DB LAYER
OS LAYER
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
1010
Database Encryption Database Encryption ArchitecturesArchitectures
• ““Initiation point” at database layerInitiation point” at database layer
APP LAYER
• AdvantagesAdvantages– Degree of application transparencyDegree of application transparency– Centralization of encryption processingCentralization of encryption processing– Potential to support all “touch points”Potential to support all “touch points”
• DisadvantagesDisadvantages– Performance impactsPerformance impacts– Disparate DBMS supportDisparate DBMS support
OS LAYER
CryptoServices
ExtendedProcs
DB LAYER
OS LAYER
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
1111
OS Encryption ArchitecturesOS Encryption Architectures• ““Initiation point” at operating system layerInitiation point” at operating system layer
APP LAYER
• AdvantagesAdvantages– Application transparentApplication transparent– Supports all “touch points”Supports all “touch points”
• DisadvantagesDisadvantages– Reliance on the DBMS procedural controls to protect Reliance on the DBMS procedural controls to protect
data data – Limited “Segregation of Duties” options at database Limited “Segregation of Duties” options at database
layerlayer
OS LAYER CryptoServices
I/O Sub-system
DB LAYER
OS LAYER
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
1212
RiskRisk• Risk Risk is a function of the is a function of the likelihood likelihood of a given of a given
perpetrator(s) exercising a particular potential perpetrator(s) exercising a particular potential vulnerability and the resulting vulnerability and the resulting impact impact of that adverse of that adverse event on the organizationevent on the organization11
• ““Likelihood” and “Impact” often difficult to quantifyLikelihood” and “Impact” often difficult to quantify• Threats Threats are always present, but are always present, but vulnerabilities vulnerabilities are are
flaws or weaknesses that make a threat more likely to flaws or weaknesses that make a threat more likely to be successful or have a significant impactbe successful or have a significant impact
• Minimally, qualitative analysis can be used to assess Minimally, qualitative analysis can be used to assess threats and associated vulnerabilitiesthreats and associated vulnerabilities
• Quantitative analysis more challenging in absence of Quantitative analysis more challenging in absence of relevant statistical datarelevant statistical data
11NIST Risk Management Guide for Information Technology SystemsNIST Risk Management Guide for Information Technology Systems
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
1313
DBMS Confidentiality DBMS Confidentiality ThreatsThreats
THREATS*THREATS*Direct database access by administration Direct database access by administration accountsaccounts
Direct database access by security accountsDirect database access by security accounts
Direct database access by user accountsDirect database access by user accounts
Direct database access by application Direct database access by application accountsaccounts
Direct database access by business process Direct database access by business process accountsaccounts
Theft of database backups or backup mediaTheft of database backups or backup media
Operating System exploitsOperating System exploits
DBMS exploitsDBMS exploits
Application or business process exploitsApplication or business process exploits
Application access by application usersApplication access by application users
Theft of physical computer systemTheft of physical computer system
Theft of database data filesTheft of database data files
APPAPPXX
XX
XX
XX
XX
XX
XX
XX
XX
XX
DBDBXX
XX
XX
XX
XX
XX
XX
XX
XX
XX
OSOS
XX
XX
XX
XX
** Does not include potential threats once the data has left the management structure of the DBMS Does not include potential threats once the data has left the management structure of the DBMS
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
1414
Current Market PlaceCurrent Market Place
• Two main categories of solutionsTwo main categories of solutions– Encryption toolkits and API’sEncryption toolkits and API’s– Packaged Encryption SolutionsPackaged Encryption Solutions
• Players in the market placePlayers in the market place– DBMS VendorsDBMS Vendors– Commercial Application VendorsCommercial Application Vendors– Application PlatformsApplication Platforms– Security VendorsSecurity Vendors
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
1515
Product Evaluation CriteriaProduct Evaluation Criteria• Vendor Support Vendor Support - The compatibility of the vendor - The compatibility of the vendor
solution with the application, database, and operating solution with the application, database, and operating system platforms and versions of enterprise system platforms and versions of enterprise computing environment.computing environment.
• Access Controls Access Controls - The mechanisms and granularity - The mechanisms and granularity of control the solution provides with respect to of control the solution provides with respect to segregation of duties and existing access controls.segregation of duties and existing access controls.
• Key Management Key Management - The protocols and controls - The protocols and controls surrounding the storage, maintenance, and retrieval surrounding the storage, maintenance, and retrieval of encryption keys.of encryption keys.
• Management Console Management Console - The user interface for - The user interface for administering and managing the encryption solutions.administering and managing the encryption solutions.
• Cryptography Cryptography - The compatibility of the solution’s - The compatibility of the solution’s cryptography standards with those defined by cryptography standards with those defined by organization’s security policies.organization’s security policies.
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
1616
Product Evaluation Criteria Product Evaluation Criteria (cont.)(cont.)
• Remote Administration Remote Administration - The remote - The remote administration capabilities of the encryption solution.administration capabilities of the encryption solution.
• Application Transparency Application Transparency - The aspects of the - The aspects of the encryption architecture that would require the encryption architecture that would require the customization of existing applications and business customization of existing applications and business processes to integrate with the solution.processes to integrate with the solution.
• Performance Impact Performance Impact - The performance impact of - The performance impact of the encryption solution on application, database, and the encryption solution on application, database, and system resources.system resources.
• Database Administration Database Administration - The configuration, - The configuration, management, and operational impact of the management, and operational impact of the encryption solution on the database administration encryption solution on the database administration teams.teams.
• Cost Cost - The license, support, implementation, and - The license, support, implementation, and maintenance costs associated to the encryption maintenance costs associated to the encryption solution.solution.
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
1717
Application Centric Application Centric SolutionsSolutions
• Eruces Tricryption EngineEruces Tricryption Engine – www.eruces.comwww.eruces.com– Segregation of processing componentsSegregation of processing components– Extensible storage solution of encryption keysExtensible storage solution of encryption keys
• nCiphernCipher– www.ncipher.comwww.ncipher.com– Language agnostic XML interface for crypto Language agnostic XML interface for crypto
processingprocessing – Segregated HSM Segregated HSM
• RSA BSafeRSA BSafe– www.rsa.comwww.rsa.com– Well-respected security vendorWell-respected security vendor – ClearTrust management interfaceClearTrust management interface
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
1818
Database Centric Database Centric SolutionsSolutions• Application Security DBEncryptApplication Security DBEncrypt
– www.www.appsecincappsecinc.com.com– Ease of useEase of use
• IBM Data Encryption for IMS and DB2IBM Data Encryption for IMS and DB2 – www.ibm.comwww.ibm.com– Hybrid Database/OS centric solutionHybrid Database/OS centric solution
• Oracle DBMS_CRYPTOOracle DBMS_CRYPTO– www.oracle.comwww.oracle.com– Enhancements from 9i DBMS_OBFUSCATION_TOOLKIT Enhancements from 9i DBMS_OBFUSCATION_TOOLKIT
• Protegrity Secure.DataProtegrity Secure.Data– www.protegrity.comwww.protegrity.com– Recently back in the market placeRecently back in the market place
• Sybase and SQL ServerSybase and SQL Server– www.sybase.comwww.sybase.com– www.microsoft.comwww.microsoft.com
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
1919
OS Centric SolutionsOS Centric Solutions
• Vormetric CoreGuardVormetric CoreGuard– www.www.vormetricvormetric.com.com – Application and database transparencyApplication and database transparency
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
2020
Alternatives to EncryptionAlternatives to Encryption• Start with the obvious AND THEN justify need!!!Start with the obvious AND THEN justify need!!!
– Implementing database encryption solutions non-trivialImplementing database encryption solutions non-trivial– Numerous “house keeping” measures should be addressed Numerous “house keeping” measures should be addressed
firstfirst
• Reduce unnecessary propagation of sensitive data Reduce unnecessary propagation of sensitive data assetsassets– Identify sensitive data assetsIdentify sensitive data assets– Identify all “touch points”Identify all “touch points”– Identify all process flawsIdentify all process flaws– Focus and resolve unnecessary propagationFocus and resolve unnecessary propagation
• Enforce strict database procedural controlsEnforce strict database procedural controls– Principle of least privilegePrinciple of least privilege– Strict authentication, authorization, access restrictionsStrict authentication, authorization, access restrictions
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
2121
PART 2PART 2
A Deeper Look at the A Deeper Look at the Mechanics of Database Mechanics of Database
EncryptionEncryption
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
2222
Database Centric SolutionDatabase Centric Solution• Application Security DBEncryptApplication Security DBEncrypt
– www.appsecinc.comwww.appsecinc.com – Version 2.1Version 2.1– SQL Server 2000SQL Server 2000– Windows 2000Windows 2000
• Test will include encrypting sample ‘TEST_TABLE’ Test will include encrypting sample ‘TEST_TABLE’ elementselementscreate table TEST_TABLE create table TEST_TABLE (id (id integer integer null,null, col_integercol_integer integerinteger null,null, col_numericcol_numeric numeric(10,2)numeric(10,2)null,null, col_charcol_char char(40)char(40) null,null, col_varchar col_varchar varchar(40)varchar(40) null,null, col_datetimecol_datetime datetimedatetime null)null)
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
2323
Encryption SetupEncryption Setup• When DBEncrypt encrypts a table column, a series of related When DBEncrypt encrypts a table column, a series of related
database objects are createddatabase objects are created– Recreates original table and changes name to ‘<Recreates original table and changes name to ‘< table_name>_table_name>_base’base’ – Column datatype for encrypted column changed to accommodate the Column datatype for encrypted column changed to accommodate the
encrypted valueencrypted value – 2 views created: ‘<2 views created: ‘<table_name>table_name>’ and ‘<’ and ‘<table_name>_table_name>_dbe’dbe’ – ‘‘<<table_name>table_name>’ view simply references ‘<’ view simply references ‘<table_name>_table_name>_dbe’ viewdbe’ view – ‘‘<<table_name>_table_name>_dbe’ view responsible for making necessary dbe’ view responsible for making necessary
procedure calls to decrypt encrypted column dataprocedure calls to decrypt encrypted column data – View is the key to the application transparency!!View is the key to the application transparency!! - - The fact that the The fact that the
original table ‘<original table ‘<table_name>table_name>’ is now a view is transparent to existing ’ is now a view is transparent to existing SQL logic so long as the view ‘<SQL logic so long as the view ‘<table_nametable_name>’ supports necessary >’ supports necessary DML (Data Manipulation Language) operations INSERT, UPDATE, DML (Data Manipulation Language) operations INSERT, UPDATE, SELECT, and DELETESELECT, and DELETE
– Ability to handle DML operations accomplished via ‘Instead of Ability to handle DML operations accomplished via ‘Instead of Triggers’ ‘<Triggers’ ‘<table_name>_table_name>_dbe_ins_trg’, ‘<dbe_ins_trg’, ‘<table_name>_table_name>_dbe_upd_trg’dbe_upd_trg’
– SELECT and DELETE operations do not require explicit trigger logicSELECT and DELETE operations do not require explicit trigger logic
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
2424
Database ObjectsDatabase Objects• CREATE TABLE TEST_TABLE _baseCREATE TABLE TEST_TABLE _base
(id (id integer integer null,null,
col_integercol_integer varbinary(20)varbinary(20) null,null,
col_numericcol_numeric varbinary(20)varbinary(20) null,null,
col_charcol_char char(80)char(80) null,null,
col_varchar col_varchar varchar(80)varchar(80) null,null,
col_datetimecol_datetime datetimedatetime nullnull
dbe_row_iddbe_row_id integerinteger identity(1,1)identity(1,1)))
• CREATE VIEW CREATE VIEW TEST_TABLE TEST_TABLE WITH VIEW_METADATA ASWITH VIEW_METADATA AS
SELECT id, col_integer, col_numeric, col_char, col_varchar, SELECT id, col_integer, col_numeric, col_char, col_varchar, col_datetime col_datetime
FROM TEST_TABLE_dbeFROM TEST_TABLE_dbe
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
2525
Database Objects (cont.)Database Objects (cont.)
• CREATE VIEW CREATE VIEW TEST_TABLE_dbe TEST_TABLE_dbe WITH VIEW_METADATA ASWITH VIEW_METADATA AS
SELECT id, SELECT id, master.dbo.dbe_view_decrypt_int( col_integer, '2', 'AES', 'CTS') as master.dbo.dbe_view_decrypt_int( col_integer, '2', 'AES', 'CTS') as
'col_integer', 'col_integer',
cast(master.dbo.dbe_view_decrypt_num( col_numeric, '3', 'AES', 'CTS') cast(master.dbo.dbe_view_decrypt_num( col_numeric, '3', 'AES', 'CTS')
as numeric(10,2)) as 'col_numeric', as numeric(10,2)) as 'col_numeric',
convert(char(40), master.dbo.dbe_decrypt_stringc( col_char, '4', 'AES', 'CTS')) as convert(char(40), master.dbo.dbe_decrypt_stringc( col_char, '4', 'AES', 'CTS')) as 'col_char','col_char',
master.dbo.dbe_decrypt_string( col_varchar, '5', 'AES', 'CTS') as 'col_varchar', master.dbo.dbe_decrypt_string( col_varchar, '5', 'AES', 'CTS') as 'col_varchar',
col_datetime, col_datetime,
dbe_row_id,dbe_row_id,
col_integer as col_integer_encrypted, col_integer as col_integer_encrypted,
col_numeric as col_numeric_encrypted,col_numeric as col_numeric_encrypted,
col_char as col_char_encrypted, col_char as col_char_encrypted,
col_varchar as col_varchar_encryptedcol_varchar as col_varchar_encrypted
FROM FROM TEST_TABLE_baseTEST_TABLE_base
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
2626
Database Objects (cont.)Database Objects (cont.)
• create trigger create trigger TEST_TABLE_dbe_ins_trg TEST_TABLE_dbe_ins_trg on TEST_TABLE instead of on TEST_TABLE instead of insert insert
… …..
insert into insert into TEST_TABLE_base TEST_TABLE_base (id, col_integer, col_numeric, col_char, col_varchar, col_datetime) (id, col_integer, col_numeric, col_char, col_varchar, col_datetime)
values (@update_id, values (@update_id,
master.dbo.dbe_trg_encrypt_varbinary(cast(@update_col_integer asmaster.dbo.dbe_trg_encrypt_varbinary(cast(@update_col_integer as
varbinary(4000)), '2', 'AES', varbinary(4000)), '2', 'AES', 'CTS'),'CTS'),
master.dbo.dbe_trg_encrypt_varbinary(cast(@update_col_numeric asmaster.dbo.dbe_trg_encrypt_varbinary(cast(@update_col_numeric as
varbinary(4000)), '3', 'AES', varbinary(4000)), '3', 'AES', 'CTS'), 'CTS'),
master.dbo.dbe_trg_encrypt_char(@update_col_char, '4', 'AES', 'CTS'), master.dbo.dbe_trg_encrypt_char(@update_col_char, '4', 'AES', 'CTS'),
master.dbo.dbe_trg_encrypt_varchar(@update_col_varchar, '5', 'AES', master.dbo.dbe_trg_encrypt_varchar(@update_col_varchar, '5', 'AES', 'CTS'), 'CTS'),
@update_col_datetime) @update_col_datetime)
… …..
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
2727
Performance Test LogicPerformance Test Logic• SQL script created to exercise DML operations: SQL script created to exercise DML operations:
INSERT, UPDATE, SELECT, DELETEINSERT, UPDATE, SELECT, DELETE
• SQL script executed a total of 15 timesSQL script executed a total of 15 times – 5 Test Sets5 Test Sets– Test set for each number of encrypted columns:Test set for each number of encrypted columns:
• O, 1, 2, 3, 4O, 1, 2, 3, 4
– Test set run values:Test set run values:• 1000 rows, 10,000 rows, and 100,000 rows 1000 rows, 10,000 rows, and 100,000 rows
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
2828
Performance ResultsPerformance Results
ENCRYPTED COLUMNS INSERTS UPDATES SELECTS DELETES INSERTS UPDATES SELECTS DELETES INSERTS UPDATES SELECTS DELETES
0 6.766 .016 .000 .016 64.623 .140 .030 .110 642.430 6.156 .563 5.513
1 6.936 2.283 .546 .030 65.093 36.016 5.326 .140 646.930 1637.116 55.390 3.296
2 7.153 4.033 1.076 .033 73.983 53.533 10.750 .156 745.506 1806.303 107.610 1.810
3 10.063 6.343 1.766 .046 94.173 98.106 17.420 .280 923.443 2511.420 177.233 7.076
4 13.200 7.656 2.360 .030 126.716 93.653 22.483 .203 1267.640 2878.353 227.263 4.250
ENCRYPTED COLUMNS INSERTS UPDATES SELECTS DELETES INSERTS UPDATES SELECTS DELETES INSERTS UPDATES SELECTS DELETES
0 1.329 0.000 0.000 0.000 1.810 2.342 0.000 0.000 1.941 7.635 15.384 4.218
1 19.084 38.280 49.218 0.000 16.194 50.411 50.918 0.000 16.464 50.555 49.121 12.467
2 23.412 47.076 48.461 0.000 22.930 49.592 49.786 0.000 22.866 50.478 49.963 24.999
3 24.641 46.800 48.827 0.000 27.355 49.994 49.495 0.000 27.554 50.381 49.595 5.468
4 22.179 52.245 55.078 0.000 24.136 50.132 49.181 0.000 24.463 50.516 49.651 11.522
100,000 ROWS10,000 ROWS1,000 ROWS
DBEncrypt Total Time (Seconds) of DML Operations with Encrypted Columns
DBEncrypt CPU Utilization (Average Percentage) of DML Operations with Encrypted Columns
1,000 ROWS 10,000 ROWS 100,000 ROWS
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
2929
Execution DurationExecution DurationDBEncrypt Insert Performance
for Encrypted Columns
0
500
1000
1500
0 1 2 3 4
Encrypted Columns
Seco
nd
s
1,000 Row s
10,000 Row s
100,000 Row s
DBEncrypt Update Performance for Encrypted Columns
0
1000
2000
3000
4000
0 1 2 3 4
Encrypted Columns
Seco
nd
s
1,000 Row s
10,000 Row s
100,000 Row s
DBEncrypt Select Performance for Encrypted Columns
0
50
100
150
200
250
0 1 2 3 4
Encrypted Columns
Seco
nd
s
1,000 Row s
10,000 Row s
100,000 Row s
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
3030
CPU UTILIZATIONCPU UTILIZATIONDBEncrypt Insert Performance
for Encrypted Columns
0
20
40
60
80
100
0 1 2 3 4
Encrypted Columns
CP
U U
tilizatio
n
1,000 Row s
10,000 Row s
100,000 Row s
DBEncrypt Update Performance for Encrypted Columns
0
20
40
60
80
100
0 1 2 3 4
Encrypted Columns
CP
U U
tilizatio
n
1,000 Row s
10,000 Row s
100,000 Row s
DBEncrypt Select Performance for Encrypted Columns
0
20
40
60
80
100
0 1 2 3 4
Encrypted Columns
CP
U U
tiliz
atio
n
1,000 Row s
10,000 Row s
100,000 Row s
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
3131
DBEncrypt (2.1) LimitationsDBEncrypt (2.1) Limitations• Columns cannot be involved in a primary key/foreign key relationshipColumns cannot be involved in a primary key/foreign key relationship
• Column must have a data type of varchars, chars, int, smallint, tinyint, Column must have a data type of varchars, chars, int, smallint, tinyint, decimal, numeric, money, smallmoney, nvarchar, nchardecimal, numeric, money, smallmoney, nvarchar, nchar
• Column data size for varchar and char data types must not exceed 4000Column data size for varchar and char data types must not exceed 4000
• Column data size for nvarchar and nchar data types must not exceed 1000 Column data size for nvarchar and nchar data types must not exceed 1000
• Column cannot already be encrypted through DBEncrypt Column cannot already be encrypted through DBEncrypt
• Column cannot be indexed Column cannot be indexed
• Column can not have a rule set on it Column can not have a rule set on it
• Column cannot be computed Column cannot be computed
• Table must not have any columns with a default value Table must not have any columns with a default value
• Table must not have a trigger Table must not have a trigger
• Table must not have a full text index Table must not have a full text index
• Bulk Inserts not permitted Bulk Inserts not permitted
• Truncate Table not permittedTruncate Table not permitted
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
3232
Database Design Database Design ConsiderationsConsiderations
• Design is significant part of effort!!!Design is significant part of effort!!! – Easy to miss critical componentsEasy to miss critical components– Reactively addressing issues will lead to failureReactively addressing issues will lead to failure
• Design AreasDesign Areas– Table KeysTable Keys– Stored Procedures and FunctionsStored Procedures and Functions– SQL LogicSQL Logic– SQL OperationsSQL Operations– DatatypesDatatypes– Key StorageKey Storage
Blue Oasis Technologies, Inc 200Blue Oasis Technologies, Inc 20055
3333
ConclusionConclusion• Q&AQ&A
• Michael McGrattanMichael McGrattan– Director of Data ManagementDirector of Data Management– Blue Oasis TechnologiesBlue Oasis Technologies– mmcgrattan@blueoasistech.commmcgrattan@blueoasistech.com– 858 335 1659858 335 1659
top related