30 June 2018
Windows 2008 Server End of Life is near. Within the next months many companies are busy with the replacement of Windows 2008 based infrastructure and application servers to avoid the next Wannacry or NotPetya.
It appears to me that this is the best opportunity to migrate at least application servers to the cloud. And, in the best case, to get rid of the servers at all by transforming the application to SAAS. If technical or the organizational limitations do not allow this at least the transformation to PAAS and IAAS should be considered.
What stops us from doing this? Very often it is the fear of loss of access to critical business data or the fear of loss of the data at all. At least in the latter case technical protection measures can be applied to mitigate this issue.
Transparent database encryption
Transparent database encryption (TDE) is often the matter of choice. All encryption is performed transparently by the database service, with no impact on the application and the users because only the database files or critical attributes in tables are encrypted. User interaction is required only during database startup to activate the encryption engine.
Unfortunately, TDE provides only encryption at rest. Thus TDE stops infrastructure admins from using unauthorized copies of a database or a virtual database server because they cannot activate the encryption engine. Once the database is started all users and database administrators have access.
Application level encryption
With Application level encryption (ALE) all encryption is performed by the application. Data is encrypted when entered in or retrieved through the application. Thus data is encrypted during transfer and at rest.
As long as the access is not routed through the application server the data are accessible for no one. Even infrastructure or database admins are barred unless they have access to the encryption key.
The security problem is shifted towards that of operational security of the application server. A solution to this problem could be to encrypt the data in the database with a key that is encrypted against the users access keys. This ensures that the encrypted data cannot be decrypted without access to at least one users key.
The remaining risk is that an attacker reads the keys or the plain text data from the process memory of the application service.
The effort to implement application level encryption is high because the application has to be changed. In addition, a key infrastructure must be set up to avoid data loss in the case a user key is e.g. inaccessible. But the gain in information and operational security is high.
The pros and cons of the encryption concepts in summary.
With Application Level Encryption, outsourcing or cloud adoption is made easy.
Have a good weekend.