Implementing a database encryption solution, design and implementation issues

Erez Shmueli*, Ronen Vaisenberg, Ehud Gudes, Yuval Elovici

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

23 Scopus citations

Abstract

In this paper, we analyze and compare five traditional architectures for database encryption. We show that existing architectures may provide a high level of security, but have a significant impact on performance and impose major changes to the application layer, or may be transparent to the application layer and provide high performance, but have several fundamental security weaknesses. We suggest a sixth novel architecture that was not considered before. The new architecture is based on placing the encryption module inside the database management software (DBMS), just above the database cache, and using a dedicated technique to encrypt each database value together with its coordinates. These two properties allow our new architecture to achieve a high level of data security while offering enhanced performance and total transparency to the application layer. We also explain how each architecture can be implemented in a commercial, open source DBMS. We evaluate the performance of the various architectures both analytically and through extensive experimentation. Our performance evaluation results demonstrate that in most realistic scenarios, i.e., where only a part of the database content is stored in the database cache, the suggested architecture outperforms the others.

Original languageEnglish
Pages (from-to)33-50
Number of pages18
JournalComputers and Security
Volume44
DOIs
StatePublished - Jul 2014
Externally publishedYes

Keywords

  • Data encryption
  • Database cache
  • Relational database
  • Security, integrity, and protection
  • Transparent data encryption

Fingerprint

Dive into the research topics of 'Implementing a database encryption solution, design and implementation issues'. Together they form a unique fingerprint.

Cite this