Information Technology security is getting more complex each time I visit the subject. This just makes it harder for Security Specialists, whose role is to ensure that all potential threats are mitigated across the myriad of hardware, firmware, and software that make up a modern Enterprise Infrastructure.
Complexities of security
The flexibility that modern companies are affording employees to maximize productivity, significantly increases the risk of IP theft, identity theft, information theft and information sabotage. This entails additional risks for the information that they store across their systems, which is one of their most important assets. While databases provide authentication and authorization to control access to the information within via APIs, the responsibility to protect actual physical files containing the data is often left to another department or even distributed across multiple teams.
It is prudent for database teams to take some ownership for securing physical database files. Encryption of information on disk is a worthwhile consideration to improve security.
FUJITSU Enterprise Postgres provides Transparent Data Encryption, which supports not only the encryption of the files containing relations, but also logs, backups, and data exports. The method is so named because encryption/decryption of data written to and read from disk is transparent to the user.
There are encryption options available in the community version of PostgreSQL such as one-way encryption using the pgcrypto module and using a separate tool outside of the database to encrypt data written to disk, but these won’t be discussed in this post, especially since my colleague Vaishnavi wrote a post with an overview of pgcrypto recently.
Encryption
Encryption is not usually the first solution that comes to mind when securing a system and its data. Usually, when we think about security, our first goal is to prevent access to those that we don’t know, and secondly to control access of those we do know. Encryption doesn’t prevent access to the physical information, it only denies access to the content — that is, being able to read it.
Transparent Data Encryption
The FUJITSU Enterprise Postgres implementation conforms to the Advanced Encryption Standard (AES), which is a standard for a symmetric block cipher. Also known as Rijndael, this specification for the encryption of electronic data was established by the U.S. National Institute of Standards and Technology in 2001. It was adopted by the U.S government in 2002 to protect classified information and is implemented throughout the world to protect sensitive data.
A block cipher applies a cryptographic key and algorithm to a block of data at a time rather than one bit at a time as used in the stream cipher method.
The implementation does not impose any increase in the size of tables, indexes or logs, and only a small 5% overhead in performance of data access times to allow for the encryption and decryption of data.
Why is the overhead so small?
FUJITSU Enterprise Postgres coded Transparent Data Encryption using the Advanced Encryption Set – New Instructions (AES-NI) instruction set, which utilizes AES-NI support built into the processor. Both Intel and AMD have a range of processors that provide this feature. If you plan on using any form of encryption in your processing, it is worth ensuring that your processor is capable of this feature. Tests have shown performance increases in the range of 4 to 6 times faster than with no AES-NI support.