[WEB SECURITY] Data Encryption + HSM

Aaron C. Newman (AppSecInc) anewman at appsecinc.com
Wed May 11 19:59:56 EDT 2005


Paolo,

I have not heard of anyone doing this, but here are the details I know.

Sybase has some features to do encryption of data-at-rest. Protegrity use to
offer a product that was actually resold through Sybase. There were
performance problem in the early days based on limitations in Sybase and I
am unsure if significant enhancements have been made. Protegrity since then
has gone under and come back around, so they are still doing business
however I don't hear a lot from them these days so I am unsure how they are
doing. I am not sure if they support HSMs with the Sybase version of the
product. I do know that they have done work with nCipher in an attempt to
get HSM support but I am not sure if that work is complete for Sybase.

Sybase has made indications that they are going to provide native encryption
in Sybase 15 which is currently in beta. You may want to talk directly to
them about there official stance on that and if they are going to support an
HSM. Given that it's a first release, I would guess HSM support will not be
included in the short term.

The only HSM vendor I am aware of that has been trying to get into the
database encryption market is nCipher. They have a good HSM and they
understand security very well. They are working with another company to
provide column level encryption called Valdsys(??? something like that) but
I am pretty sure they do not support Sybase.

Most people that want to use HSMs for database encryption change their minds
when they realize how much the hardware will cost and how complicated it is.
There is always a lot of questions on what exactly you accomplish by storing
the keys in the hardware.

Here's an independent review of the database encryption alternatives:
http://nwc.securitypipeline.com/howto/showArticle.jhtml?articleId=18901525&p
gno=1

Have you looked into other security measures besides database encryption?
You can likely reduce as much business risk by using other layers of
security rather than database encryption. Database encryption should be your
last line of defense. If you concentrate on other ways to secure the
database, you end up securing your data more effective and efficiently.
Setup the firewall properly. Perform in depth Pen Tests and Security Audits
of everything from access controls, passwords, database integrity. Implement
a monitoring solution for the database. After you've done all these steps
and still need more security, then look at database encryption.

I hope this helps.

Regards,
Aaron
_______________________________
Aaron C. Newman
CTO/Founder
Application Security, Inc.
www.appsecinc.com
Phone: 212-947-8787
Fax: 212-947-8788
- Securing Business by Securing Enterprise Applications -




> From: Paolo Ottolino <paolo.ottolino at business-e.it>
> Date: Tue May 10, 2005  2:14:49  AM US/Pacific
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Data Encryption + HSM
>
> This is a question about DB encryption.
>
> Does anybody know if it is possible to perform encryption on data at 
> rest (in a Sybase 12.5. DB on a Solaris machine) and storing the 
> symmetric keys in a Hardware Security Module, using  some integration 
> software?
> Or I have to move the DB on a most popular platform (like Oracle, MS 
> SQL) to integrate with HSM?
>
> thank you in advance
>
> Paolo Ottolino
>
> CCSE OPST CISSP-ISSAP
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list