Encryption Method for Data Center Cryptography

EncryptionMethods are divided into the following types:

1. File-level encryption

File-level encryption can be implemented on the host, or added to the network storage NAS layer for Embedded implementation. For some applications, this encryption method will also cause performance problems. When performing data backup operations, it will bring some limitations, especially when backing up the database. In particular, file-level encryption will make key management quite difficult, thus adding another layer of management: You need to identify and associate related keys based on the directory location.

Encryption on the file layer is also insufficient because the data encrypted by the enterprise is still much larger than the data that the enterprise may need. If an enterprise is concerned with unstructured data, such as legal documents, engineering documents, report files, or other files in a non-well-organized application database, therefore, file-layer encryption is an ideal method. If the data is encrypted at the file layer, when it is written back to the storage media, the data written is encrypted. No one who has access to the storage media can find useful information. The only way to decrypt the data is to use the file-layer encryption/decryption mechanism.

2. Database-level encryption

When data is stored in the database, database-level encryption can encrypt data fields. This deployment mechanism is also called column-level encryption because it is encrypted at the column level in the database table. For companies that store sensitive data in one or two columns of a database, database-level encryption is more economical. However, because encryption and decryption are generally performed by software rather than hardware, this process will lead to an unacceptable reduction in the performance of the entire system.

Since the data structure and organization in the database are very clear, it is easier to control specific data entries. You can encrypt a specific column, such as the country identifier column or wage column, and each column has its own key. Based on different database users, enterprises can effectively control their keys, so they can control who has the right to decrypt the data entries. In this way, enterprises only need to Encrypt Key data.

The challenge for this encryption method is that many data entries that you want to encrypt may have the same value in the application query. Therefore, the system designer should ensure that the encrypted data does not participate in queries, so as to prevent the negative impact of encryption on the database performance. For example, if the account number is encrypted and you want to search for a series of numbers, the application must read the entire table, decrypt it, and compare the values. If the database index is not used, this task can be completed in three seconds.

It may become a three-hour long query. However, this method also has a positive aspect. Database manufacturers have already added some services to their new products to help enterprises solve this problem.

3. Media-level encryption

Media-level encryption is a new method used to encrypt static data on storage devices, including hard disks and tapes. Although media-level encryption provides high transparency for users and applications, it provides very limited protection: data is not encrypted during transmission.

Data is encrypted only when the storage device is reached. Therefore, media-level encryption can only prevent theft of physical storage media. In addition, if you use this technology in a heterogeneous environment, you may need to use multiple key management applications, which increases the complexity of the key management process and increases the risk of data recovery.

4. Embedded encryption devices

Embedded encryption devices are placed in the Storage Area Network SAN, which is between the storage device and the server requesting encrypted data. This type of dedicated device can encrypt the data transmitted all the way to the storage device through these devices, protect static data, and then decrypt the data returned to the application.

Embedded encryption devices are easy to install as point-to-point solutions, but are difficult to expand or costly. If deployed in an enterprise environment with a large number of ports or multiple sites need to be protected, the problem may occur. In this case, the cost of installing a batch of hardware devices across distributed storage environments is astonishing. In addition, each device must be configured and managed separately or in small batches, which adds a heavy burden to management.

5. Application Encryption

The last method may be the safest one. Integrating encryption technology into commercial applications is the highest level of encryption, and it is also the most close to the "End-to-End" encryption solution. At this layer, enterprises can clearly know who users are and the typical access scope of these users.

Enterprises can closely integrate access control of keys with applications. This ensures that only specific users can access data through specific applications to gain access to key data. No one tries to access the data downstream of the destination.

At this layer, the integrated encryption technology helps to avoid impact on the performance of the database layer, because users can change the query type. However, although this method is the safest, many data entries need to be accessed by a variety of applications. Enterprises must promptly manage changes to such applications and even different user groups. In fact, if enterprises use the packaged applications provided by the vendor, they may not be able to implement this layer of solution at all, because the enterprise cannot obtain the source code of these applications.

For details about Data Encryption in the data center, please read:

Encryption form of data center Cryptography