S 4.72 Database encryption

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators, application developers

Depending on the type of information stored in a database and the related requirements of confidentiality and integrity, it might be necessary to encrypt this data. A distinction can be made between online and offline encryption here:

• During online encryption, the data are encrypted and decrypted while the IT systems are in operation, without the involved users being aware of this process. For this purpose, tools can be used which either encrypt the entire hard disk at the operating-system level, or only encrypt the application data of the database.

• During offline encryption, the data are only encrypted after having been processed, and decrypted before undergoing further processing. In general, this is done with tools which are not part of the database system. This technique can prove particularly useful for data backups and data transmissions. In this case, it must be ensured that sufficient disk space is available, as encrypting and decrypting can only be carried out successfully if the hard disk is capable of holding both the original and the encrypted version of the database.

Furthermore, it is possible to save data as plain text in the database, but transmit it in encrypted form during access via a network. This can be realised, for example, with the Secure Network Services of the Oracle SQL*Net product group.

Which data should be encrypted using which techniques is best decided on during selection of the standard database software (refer to S 2.124 Selection of suitable database software). During this process, the requirements of data encryption should be compared with the corresponding features of the database software. However, it should at least be ensured that the passwords of the database user IDs are stored in encrypted form.

If the encryption requirements cannot be fulfilled completely by any of the standard database software available on the market, the use of add-ons should be considered for the purpose of closing the security gaps. If no add-ons are available either, a concept for implementing an encryption strategy at the corporation or authority should be prepared.

Additional controls:

• Are appropriate encryption techniques offered by the database or add-ons?

• Have the responsible persons been briefed on proper key management?