SQL Server 2008 added Transparent Data Encryption (TDE). Its primary goal was to protect data by encrypting the physical files, such as the data (mdf) and log (ldf) files, rather than the data itself.
The entire encryption procedure was meant to be fully transparent to the apps accessing the database with this technique.
It accomplishes this by encrypting the file pages with either Advanced Encryption Standard or Triple DES, then decrypting the information as it enters memory.
This prevents constraints from being imposed on querying data in an encrypted database. This is effectively real-time I/O encryption and decryption and does not affect the database's size.
In this guide, we’ll discuss TDE in more detail and take a look at some of the benefits of using this process.
What is Transparent Data Encryption?
TDE (Transparent Data Encryption) was introduced in SQL 2008 as a mechanism to protect data while it was "at rest." When we talk about data that has been written to disk, we're talking about "at rest" data.
Any data files for our SQL databases, any log files for our databases, all backup files for the databases, database snapshot files, and any data put to disk in the TempDB database are included.
TDE primarily employs AES-based encryption techniques (also known as Advanced Encryption Standard). You can choose which AES algorithm to use when setting up TDE: AES 128, AES 192, or AES 256. The number indicates the length of the key used for encryption in bits in each scenario.
The longer your key, the more difficult it should be to crack the encryption. Even for AES 128, however, estimates of how long it would take to break down the key by brute force range from a thousand years to trillions of years.
The disparity is due to how processing power is expected to expand. Even with the most conservative calculations, AES 128 should suffice in most circumstances, but most people prefer AES-256, which should be beaten in the same amount of time squared.
How This Works
Transparent Data Encryption (TDE) is a feature that allows you to encrypt sensitive data in tables and tablespaces. When authorized users or programs access the data after it has been encrypted, it is transparently decrypted. TDE aids in the protection of data stored on media (also known as data at rest) if the storage medium or data file is lost or stolen.
Oracle Database secures data in the database with authentication, authorization, and auditing procedures, but not in the operating system data files where data is kept. Oracle Database provides Transparent Data Encryption to safeguard these data files (TDE).
TDE encrypts data files that include sensitive information. TDE maintains the encryption keys in a keystore separate from the database to avoid unwanted decryption.
Oracle Key Vault can be configured as part of the TDE implementation. This allows you to manage TDE keystores throughout your organization from a single location. You can, for example, upload a keystore to Oracle Key Vault and then ensure that the keystore's contents are available to another TDE-enabled database. For more information, see Oracle Key Vault Administrator's Guide.
How This Impacts Business Intelligence
The short answer?
It doesn’t at all.
Business Intelligence is about querying the database, converting data into visualizations, generating reports, sharing data with user-level security, etc. TDE doesn't impact business intelligence at all.
As the name infers, it's transparent, and we highly recommend it. However, you don't want to invest in TDE and then bring in a lackluster BI tool with your data security.
Data encryption aims to keep your personal information safe from anyone who wants to access it. This concept is based on humanity's lengthy history of encoding messages, known as cryptography.
Even with contemporary computing, some encryption schemes, such as the writing used in the Renaissance-era Voynich manuscript, remain uncrackable. This level of heavy computing for security could be beneficial for those using BI tools in their applications.
The Benefits of Transparent Data Encryption
Some benefits of transparent data encryption include:
- It guarantees that sensitive data is encrypted, compliance is met, and encryption activities are streamlined.
- You can be sure as a security administrator that sensitive data is encrypted and hence safe if the storage media or data file is stolen.
- TDE aids in the resolution of security-related regulatory compliance challenges.
- No supplementary tables, triggers, or views are required to decrypt data for the authorized user or application. For the database user and application, data from tables is transparently decrypted. TDE can be used to provide robust data encryption to an application that processes sensitive data with minimal or no changes to the application.
- Data is visibly decrypted for database users and programs that access this data. Users and applications of databases do not need to be aware that the information they are accessing is encrypted.
- You can encrypt data with no downtime on production systems by utilizing online table redefinition. Alternatively, you can encrypt it offline during periods of maintenance.
- To handle encrypted data, you don't need to make any application changes. The database manages data encryption and decryption.
- Oracle Database simplifies the maintenance of TDE-specific master encryption keys and keystores. TDE master encryption keys do not need to be managed by the user or the program.
The Challenges of Transparent Data Encryption
The challenges of transparent data encryption include:
- Data in motion or held within an application is not encrypted because it only encrypts data at rest.
- Not just the sensitive data but all of the data in the database is encrypted.
- Compressed backups will significantly reduce the amount of compression performed.
How Can Yurbi Help with Transparent Data Encryption?
We have already established the importance of transparent data encryption and that, as the name infers, from a query function or a business intelligence use case, the added layer of security is evident.
But what happens when the data is in motion, that is when you need a BI solution with a focus on security.
That’s why Yurbi comes in. Yurbi has everything you need to support end-to-end data security.
Yurbi includes multiple levels of security:
- Access: Determines whether and how a user can communicate with a data source.
- Role-Based: Determines what a user can do with a data source (view only, query, or higher-level functions)
- Security Groups: Controls what dashboards and reports can be viewed by a user and what access role they have to those objects.
- Multi-tenant: Restrict a user from seeing only the data they are allowed to see, whether a tenant or sub-tenant. In addition, Yurbi provides dynamic data source connection strings to support single-tenant models.
- Two-Factor Authentication: Currently, we support the Cisco Duo 2FA solution with SAML and other options on the roadmap.
- Audit and Data Governance: Keep an eye on what all users are doing within the system, in real-time and historically.
Maximize your investment in TDE with a white label and embedded analytics solution that protects your data when being utilized by your users, not just “at rest.”
Reach out to us through a meeting or avail of our free live demo session to see what Yurbi can bring to the table.