Portals eNewsletters Web Seminars dataWarehouse.com DM Review Magazine
DM Review | Covering Business Intelligence, Integration & Analytics
   Covering Business Intelligence, Integration & Analytics Advanced Search
advertisement

RESOURCE PORTALS
View all Portals

WEB SEMINARS
Scheduled Events
Archived Events

RESEARCH VAULT
White Paper Library
Research Papers

CAREERZONE
View Job Listings
Post a job

Advertisement

INFORMATION CENTER
DM Review Home
Newsletters
Current Magazine Issue
Magazine Archives
Online Columnists
Ask the Experts
Industry News
Search DM Review

GENERAL RESOURCES
Bookstore
Buyer's Guide
Glossary
Industry Events Calendar
Monthly Product Guides
Software Demo Lab
Vendor Listings

DM REVIEW
About Us
Press Releases
Awards
Advertising/Media Kit
Reprints
Magazine Subscriptions
Editorial Calendar
Contact Us
Customer Service

Information Management:
Encryption at Rest

  Column published in DM Review Magazine
August 2005 Issue
 
  By Bill Inmon

Encryption has a long and illustrious history. In World War II, the Americans and the British broke the German Enigma code and the Japanese Purple code, and those two events led to the downfall of Hitler's U-boat campaign in the Atlantic and Japanese troop movement throughout the Pacific Theater.

Today, encryption is found mainly in the movement of data. As data is to be transported, it is encrypted. Upon arriving at its destination, it is decrypted. During flight (i.e., the time that it is being moved), the message is deemed to be safe because if anyone were to encounter it, it would mean nothing. Only at the source and the destination is the data's true meaning apparent. This process is known as encryption in flight.

However, encryption at rest is an entirely different matter. Encryption at rest refers to the fact that the data is physically stored in an encrypted manner. It is appealing from the standpoint of security. Consider two databases - database A where there is encryption in flight and database B where there is encryption at rest. One day someone decides to steal database A. Assuming the person can succeed, once the person has database A in his/her hands, the data can be read like any other file. Stated differently, if a database can be removed or copied and taken to another environment, then none of the security measures that have been taken to protect the data can be in force.

The data in database B is encrypted as it is stored. If somebody steals the database or copies it and removes the data, unless the person can figure out how to decrypt the data, the data does no good whatsoever.

Is encryption of data at rest the optimal stance? Unfortunately, there are numerous major drawbacks with encrypted data at rest. The most obvious is that the data cannot be accessed. (Which defeats one of the major reasons for having a database in the first place.) If "Bill Inmon" is stored as "kljyuuyrat," it is going to be difficult to find the record for "Bill Inmon." In order to find the record, the person looking for it must know how to encrypt. If everyone knows how to encrypt and decrypt, then what is the purpose of encryption? However, suppose that there is a way for the system to automatically translate "Bill Inmon" into "kljyuuyrat" without the end user knowing what is going on. Now it becomes possible to use encryption at rest.

The problems don't end there. Suppose I want to find all people name "Bill." Do I look for "kljy"? Additionally, when I store data in the form of "kljyuuyrat," I destroy the sequence of the data. Whether the sequence is destroyed at the physical block level or at the index level is irrelevant. You could say at the physical block level that sequence doesn't matter, which may indeed be true. However, if sequence at the physical block level doesn't matter, then it will matter somewhere else, such as at the index level. Of course, there is the alternative of storing the index in the "Bill Inmon" format, but that defeats the purpose of encryption at rest because all someone has to do is steal the indexes, rather than the data. Encryption at rest sounds great from the standpoint of security, but in terms of practicality, it is a supremely bad idea.

One alternative is to encrypt at rest only a few fields of data. This may serve some purpose, but may actually be dangerous because encrypting only a few data elements may mislead the database administrator into thinking the data is safe when in fact it is not. Consider this very simple example in which the gender field has been encrypted. In the database, you would find: Bill Inmon, gender = v; Don Hardy, gender = v; Mary Hill, gender = k; Judy Wilson, gender = k; and Mike Hodson, gender = v.

Even though gender is encrypted, it doesn't take a genius to figure out what "v" and "k" mean. This is a very simple and obvious example, but the idea is the same in other situations. Encrypting only a small part of data is unacceptable for security reasons.

Encryption at rest quickly brings larger issues to the surface such as security versus usability. While encryption at rest gives a great deal of very fundamental protection, it wreaks havoc with normal operation of the database to the point that - from a practical standpoint - encryption at rest is unthinkable except for the most limited and specialized of databases. 

...............................................................................

For more information on related topics visit the following related portals...
Databases and Security.

Bill Inmon is universally recognized as the father of the data warehouse. He has more than 35 years of database technology management experience and data warehouse design expertise. His books have been translated into nine languages. He is known globally for his seminars on developing data warehouses and has been a keynote speaker for many major computing associations. For more information, visit www.inmongif.com and www.inmoncif.com. Inmon may be reached at (303) 681-6772.

Solutions Marketplace
Provided by IndustryBrains

Analytics for Oracle Applications
Get sophisticated analytics and real-time reporting for Oracle and MFG Pro ERP systems based on a packaged data warehouse. Immediate results from packaged Business Solutions from Jaros Technologies.

Q: Best Data Warehouse Strategey? A: Pre-built DW
Free White paper describes how packaged analytics based on a pre-built data warehouse Lower TCO, Lower Risk, Increase Success, and deliver Real Results Faster.

Free EII Buyer's Guide
Understand EII - Trends. Tech. Apps. Calculate ROI. Download Now.

Data Quality Tools, Affordable and Accurate
Protect against fraud, waste and excess marketing costs by cleaning your customer database of inaccurate, incomplete or undeliverable addresses. Add on phone check, name parsing and geo-coding as needed. FREE trial of Data Quality dev tools here.

Use MS Word as your Report Generator
Create reports in PDF, RTF, HTML, TXT, XLS & more. Use MS Word to design the reports and reduce development time by 90%. Easy-to-use custom secure report generation - Fast! Free Demo.

Click here to advertise in this space


View Full Issue View Full Magazine Issue
E-mail This Column E-Mail This Column
Printer Friendly Version Printer-Friendly Version
Related Content Related Content
Request Reprints Request Reprints
Advertisement
advertisement
Site Map Terms of Use Privacy Policy
SourceMedia (c) 2005 DM Review and SourceMedia, Inc. All rights reserved.
Use, duplication, or sale of this service, or data contained herein, is strictly prohibited.