| Database at-rest encryption | Microsoft / Oracle TDE | Client-side field level encryption | Acra field level encryption | |
|---|---|---|---|---|
| Encryption of | The whole database | The whole database | Selected sensitive fields | Selected sensitive fields |
| Access to encryption keys | The database | The database | Client app | Acra |
| Plaintext leakage from DBAs | Yes | Yes | No | No |
| Plaintext leakage from backups | Yes | Yes | No | No |
| Number of keys | One for the whole database | One for the whole database | Per field, per app | Per field, per app, per zone |
| Application code changes | None | None | Significant | None, or very small |
Database encryption solutions
Database encryption aims to protect sensitive data from attackers, comply with industry regulations and secure data processing requirements. Modern approaches to database encryption go beyond simply ticking a checkbox “data at rest encryption” but using column level encryption or field level encryption.
Cossack Labs offers tools and services to cover database encryption requirements. Our software allows encrypting data transparently for the database and the client applications – ensuring that sensitive data fields are written encrypted to the database and then decrypted when read. Encrypting data before it gets to the database protects against insiders, leaks and misconfiguration.
Typical database encryption requirements
//
Follow data privacy regulations
Changing regulatory landscape and industry requirements force companies to be prepared to compete within a new market environment. Also, before market entry, newcomers should meet privacy regulations (GDPR, CCPA, etc.). Numerous regulations and standards require secure processing of sensitive data (encryption, masking, pseudonymisation).
//
Solve insiders risks & misconfiguration
Databases store tons of sensitive data, such as Personally Identifiable Information (PII), PHI or payment information, which should be protected from developers, DBAs and BI teams. Application level encryption of sensitive fields makes security incidents less significant, as even if the database is misconfigured or leaked, the data stays encrypted.
//
Encrypt data with minimum work
Product teams often face database encryption as a challenge. They have to spend time and resources on cryptography, database security and secure data flow, instead of working on the product. Luckly, Cossack Labs security tools are built to save developers time.
//
Zero code changes
Often, field level encryption is associated with the need of re-engineering the existing applications, adding cryptographic code, and managing keys. Considering these limitations, we suggest transparent database encryption, which doesn't require code changes.
Modern database encryption solutions
Encrypted, yet searchable data
Search through encrypted data enables BI teams, developers and ops to work with actual production data without gaining access to sensitive information.
Stack compatibility
Modern database encryption software should support popular tech stack: SQL and NoSQL databases, cloud databases, ORMs and backend app frameworks.
Plug-and-play encryption SDK
Database encryption software should be easy to integrate, easy to deploy, easy to configure and use without significant interruption into existing architecture.
Database encryption methods #
Different database encryption methods provide various security guarantees. Acra field level encryption works transparently for the app and the database, requires zero application code changes and hides cryptographic details from developers.
Database at-rest encryption
Encryption of
The whole database
Access to encryption keys
The database
Plaintext leakage from DBAs
Yes
Plaintext leakage from backups
Yes
Number of keys
One for the whole database
Application code changes
None
Microsoft / Oracle TDE
Encryption of
The whole database
Access to encryption keys
The database
Plaintext leakage from DBAs
Yes
Plaintext leakage from backups
Yes
Number of keys
One for the whole database
Application code changes
None
Client-side field level encryption
Encryption of
Selected sensitive fields
Access to encryption keys
Client app
Plaintext leakage from DBAs
No
data is encrypted before it gets to the database
Plaintext leakage from backups
No
data is encrypted before it gets to the backup
Number of keys
Per field, per app
Application code changes
Significant
Encryption of
Selected sensitive fields
Access to encryption keys
Acra
Plaintext leakage from DBAs
No
data is encrypted before it gets to the database
Plaintext leakage from backups
No
data is encrypted before it gets to the backup
Number of keys
Per field, per app, per zone
Application code changes
None, or very small
Our mission is simple.
We help you focus on serving your customers better, while relieving your team from security engineering pains and making your users confident that their data is safe with you.
Our offerings
// Database encryption software
Acra
A DATABASE SECURITY SUITE
Acra offers a field level and searchable database encryption which is easy-to-integrate in already-built infrastructures. Acra works with SQL and NoSQL databases. Acra gives transparent field level encryption proxy and encryption-as-an-API service.
To be announced
There’s something we’re preparing to address new challenges – Please stay tuned for further announcements.
// Consulting
Security engineering & architecture
Our security engineers team will assist with integrating field level encryption for sensitive data in your infrastructure (re-design the dataflow, optimise SQL queries, ensure HA and load balancing, migrate data, etc.) to mitigate the risks of data leakage.
Multi-layered defenses
Encryption never comes alone. We will advise you on data migration, key management, designing application level encryption flow, implementing certain security features, assessing your product, verifying its security properties, and providing actionable advisory on improvements.
SSDLC
We help teams set up and improve the SSDLC for application development. We assist in prioritising and implementing security features, suggest automated tools and follow the latest security guidelines and regulations.
Have a question? Get a human to answer it!
How we make a difference
The data is always yours
Unlike SaaS, Acra is a software that is integrated into your infrastructure. Encryption happens within your system – sensitive data never leaves the premises, is never sent to 3rd parties, sold or used. Acra works even without internet connection within the air gapped perimeters. Acra is a vital component of Zero Trust architecture.
Reduce business risks with consulting
Our customer success program fits each use case – whether configuring our products, building a custom solution, or analysing security architecture – we are here to lift this burden off you. We provide security engineering consulting and support under fixed SLAs to ensure maximum security benefits from our products and services.
Database encryption for SQL, NoSQL and KV data stores
Acra database security suit supports open source SQL databases (MySQL, PostgreSQL, MariaDB, Google Cloud SQL, Amazon RDS, TiDB, CockroachDB) and NoSQL databases (MongoDB, Redis, Cassandra, TimescaleDB), and any datastore with REST API (like Amazon S3, Google Cloud DataStore, etc).
Fast time to solution
Having over 8 years of experience in data protection, we have created Acra as a developer and ops friendly tool. Acra is easy to integrate, easy to deploy, easy to configure, automate, monitor and use without significant interruptions in the existing architecture. Protecting sensitive data should be fast and efficient.
Database encryption in use
Acra blends well with your application as SQL encryption proxy, encryption-as-a-service API, API proxy, or in-app SDK. Each mode has its own pros and cons.
The most popular mode is transparent encryption via Acra SQL proxy. Acra sits between the application and the database, and encrypts/decrypts data transparently. Acra supports various key management procedures (key rotation with and without data encryption, key revocation, and others according to NIST SP 800-57). Acra supports HYOK and BYOK, allowing customers to have full control over encryption keys.
Additional relevant materials
The keynote 'Data is a new security boundary' is presented by Anastasiia Voitova at OWASP Global AppSec US 2021. Anastasiia explains how modern data protection combines multiple security controls and follows sensitive data where it exists – from client-side apps to the databases. The YouTube video is available as well.
Frequently Asked Questions
How are databases encrypted?
Databases can be protected by enabling “data at rest” encryption which protects from offline attacks and having access to the physical servers and disks. In this case, the database has access to the encryption keys. Application level encryption and field level encryption allows encrypting data outside the database, pushing already-encrypted data in, protecting the data from insiders, DBAs, misconfiguration, SQL injection attacks and many more. Acra provides field level encryption for SQL and NoSQL databases.
Does database encryption affect performance?
Any encryption affects performance, as it requires encrypting and decrypting the data. Acra uses modern, strong, and efficient ciphers, like AES-256-GCM. Using Acra as a transparent SQL proxy adds 3..6% of the performance penalty. The penalty doesn’t depend on the volume of stored data but on how many sensitive fields are encrypted in one database request.
Should database data be encrypted?
It depends on data classes and kinds. According to industry standards and data privacy regulations, sensitive data should be encrypted during processing. Sensitive data includes PII, PHI, payment data, and any kind of business-essential data. Check out the “PII encryption requirements. Checklist” and GDPR for software developers: implementing rights and security demands.
For innovators, by innovators
We've started Cossack Labs to develop new tools and methods for protecting the data and enabling novel solutions to emerging problems — so that at the edge of your innovation, you’ve already got fitting tools handy.
Contact us
There are many ways we can help: with our products, bespoke solutions, and engineering services. Leave your contact information to connect with our team:
Relevant blogposts
PII Encryption Requirements. Cheatsheet
What data is sensitive and needs to be encrypted according to data privacy regulations like CCPA, GDPR, HIPAA, etc.? Our cheatsheet addresses this question
Secure search over encrypted data
What is searchable encryption and how to perform secure search over encrypted data.