Native DB Encryption Versus Third-Party Enterprise Encryption - What's the Difference?

Increasing concerns over security breaches from external and internal threats, regulatory compliance requirements from HIPAA, the HITECH Act, PCI DSS, and other mandates, plus the migration from physical servers to virtual machines and the cloud are prompting companies to adopt encryption as  never before. Encryption protects data by transforming data into unintelligible strings of characters (called cipher text) and today is widely considered to be a security best practice.

Encryption solutions come in several different flavors. Some safeguard data and are relatively easy to use, offering the necessary key management and separation of duties capabilities. Others offer limited platform support, no centralized key management, can significantly impact database performance, or may have some combination of these issues. Once enterprises decide to add encryption to their data security practices, they need to carefully consider between two basic types of encryption offerings. Transparent data encryption (TDE) is offered natively in the database (DBMS), and third-party enterprise encryption operates independent of the database and also provides transparent data encryption.  Each offering provides distinct advantages and disadvantages.

Pros of Native Transparent Data Encryption (TDE)

Protection of database information: By deploying DBMS-based TDE, an enterprise can rest assured that the database information is protected from insider abuse and external attacks while also meeting compliance requirements mandated by regulatory and industry standards for the protection of data.

Single supplier: At first glance, DBMS-based TDE appears to be the most logical approach. It is simple to procure - an enterprise can purchase it along with its database solution. There's only "one throat to choke" for the database and encryption solutions and ongoing product support.

Granularity of encryption: DBMS-based TDE offers a choice of column level or table space encryption. While column level encryption can be administratively complex, it offers finer granularity for encrypting only the most sensitive data such as personally identifiable information or credit card numbers.

Cons of DBMS-Based TDE

Key management limitations: The biggest drawback of DBMS-based TDE is that it does not provide well-defined separation of duties between database administrators and security administrators. Encryption keys are typically co-located with data on the same database server. DBMS-based TDE requires that database administrators become familiar with the security administrator skill set for encryption and key management.  With DBMS-based TDE, enterprises typically need to install another layer of controls to separate the management of the data and the encryption keys. Regulators and auditors are requiring that companies have secure key management policies in place and be able to demonstrate that the keys are properly secured, governed and protected.

Homogeneity: DBMS-based TDE offers protection only for a specific database platform such as Oracle or Microsoft SQL Server. However, many enterprises have heterogeneous environments that use databases from several vendors, resulting in numerous instances of different encryption solutions and multiple encryption keys.  Having multiple databases requires gaining expertise in multiple methods of encryption and key management when utilizing DBMS-based TDE. This creates a cumbersome key management problem that is nearly impossible to solve and is anything but secure.

Cost: The natural expectation is that DBMS-based TDE is more economical because it is bundled with the database solution. However, database vendors offer database encryption only with the higher-priced versions of their products, and often charge an additional fee to "unlock" the encryption functionality. In addition to acquisition and operational costs, DBMS-based TDE solutions also rely on external hardware security modules (HSMs) to control and protect encryption keys, which increases the total price of a TDE solution. Enterprises deploying multiple encrypted database instances typically need HSMs (one per server or a network HSM) to secure and control encryption keys.

Limited protection: DBMS-based TDE solutions cannot secure information associated with the database such as extract-transform-load (ETL) data, spreadsheets and reports that are stored outside the database as files in a file system. Also, DBMS-based TDE cannot be used to encrypt and protect unstructured data that resides in repositories outside the database, such as file servers.

Pros of Third-Party Enterprise Encryption

Data protection across platforms: There are several proven enterprise, or third party, encryption solutions. The best offer a transparent, file-based approach to encryption that can protect both  structured data (in databases)  and unstructured data such as pdf files, spreadsheets and reports.

Separation of duties: Companies need to ensure that they have centralized key management systems with secure storage, life cycle management, auditing and separation of duties  between the system, database and security administrators. Good 3rd party Enterprise Encryption solutions ensure that keys are provisioned only to authorized personnel and applications.

Separation of functionality: The database and encryption functionality are independent of one another so that database resources are not needed for encryption and decryption. This enables databases to operate at optimal performance while encryption remains transparent to the database as well as its users.

Cons of Third-Party Enterprise Encryption

Limited Platform Support: Some enterprise solutions support only a limited number of platforms and cannot be used to protect data extracted from the database, i.e., unstructured data. To be effective an enterprise solution should be able to work across a wide variety of platforms and data types in any environment that enterprises use today or might move to in the future, including cloud computing. This eliminates the cost of deploying and managing multiple data security solutions.

Cost: Third-party enterprise encryption certainly has acquisition and operational costs, yet provides consistent security across multiple databases and data types. These solutions also eliminate the expense of HSMs/DB server associated with DBMS-based TDE since the key management can be integrated with the third-party enterprise encryption system. 

What to Look for in Enterprise Encryption Products

Broad Platform Support:  There are a wide variety of third-party enterprise encryption solutions, so careful consideration of different features (or lack thereof) is essential in choosing among different offerings. Many of the newer solutions support only a single operating system or a very limited number of platforms. With more data migrating to the cloud and running in any number of environments, it is essential that the encryption solution support heterogeneous databases, servers and storage be it virtual or physical, on premise or in the cloud

Centralized Policy and Key Management: This provides the most efficient enterprise wide approach for audit, access control and key life cycle management using policies.

The solution should be easy to administer, yet offer the necessary protection for encryption keys so they cannot be accessed by unauthorized personnel. The solution should provide centralized administration for the creation and distribution of encryption policies and keys, and event log collection and reporting. To protect the integrity of the encrypted data, the solution needs to separate the roles of the system administrator, security administrator  and database administrator.

Scalability: The solution should be able to scale with the organization's business needs.  Scalability in this context means the ability to support large numbers of database instances (in the thousands, for example), file systems as well as large data sets. 

Support of Physical/Virtual/Cloud Environments: The enterprise might be doing little with virtualized and cloud environments today and may have no immediate plans to do so. However, virtualization and the cloud will inevitably become essential elements of corporate IT operations. If the organization wants to implement virtualization or cloud computing, it will need an encryption solution that will move there seamlessly.

Transparency: The encryption solution must be transparent to streamline deployment and minimize operational and administrative burdens. Deployment should not require changes to the database, applications and storage or any other part of the existing IT infrastructure. This ensures that the encryption solution can be deployed within the change window planned by IT personnel.

In many industries, encryption is becoming a security and regulatory requirement for today's enterprises. To choose the right solution for your organization, begin by comparing the pros and cons of DBMS-based TDE and third-party enterprise encryption solutions and then mapping the capabilities of each approach to your business needs.

To learn more about the pros and cons of native transparent data encryption (TDE) versus third-party enterprise encryption, download this complimentary white paper from Vormetric: Understanding and Selecting TDE: Native vs. External Approaches

About the author:

Ashvin Kamaraju is vice president of product development and partner management for data security vendor Vormetric.