TY - JOUR
T1 - Implementing a database encryption solution, design and implementation issues
AU - Shmueli, Erez
AU - Vaisenberg, Ronen
AU - Gudes, Ehud
AU - Elovici, Yuval
PY - 2014/7
Y1 - 2014/7
N2 - In this paper, we analyze and compare five traditional architectures for database encryption. We show that existing architectures may provide a high level of security, but have a significant impact on performance and impose major changes to the application layer, or may be transparent to the application layer and provide high performance, but have several fundamental security weaknesses. We suggest a sixth novel architecture that was not considered before. The new architecture is based on placing the encryption module inside the database management software (DBMS), just above the database cache, and using a dedicated technique to encrypt each database value together with its coordinates. These two properties allow our new architecture to achieve a high level of data security while offering enhanced performance and total transparency to the application layer. We also explain how each architecture can be implemented in a commercial, open source DBMS. We evaluate the performance of the various architectures both analytically and through extensive experimentation. Our performance evaluation results demonstrate that in most realistic scenarios, i.e., where only a part of the database content is stored in the database cache, the suggested architecture outperforms the others.
AB - In this paper, we analyze and compare five traditional architectures for database encryption. We show that existing architectures may provide a high level of security, but have a significant impact on performance and impose major changes to the application layer, or may be transparent to the application layer and provide high performance, but have several fundamental security weaknesses. We suggest a sixth novel architecture that was not considered before. The new architecture is based on placing the encryption module inside the database management software (DBMS), just above the database cache, and using a dedicated technique to encrypt each database value together with its coordinates. These two properties allow our new architecture to achieve a high level of data security while offering enhanced performance and total transparency to the application layer. We also explain how each architecture can be implemented in a commercial, open source DBMS. We evaluate the performance of the various architectures both analytically and through extensive experimentation. Our performance evaluation results demonstrate that in most realistic scenarios, i.e., where only a part of the database content is stored in the database cache, the suggested architecture outperforms the others.
KW - Data encryption
KW - Database cache
KW - Relational database
KW - Security, integrity, and protection
KW - Transparent data encryption
UR - http://www.scopus.com/inward/record.url?scp=84902267737&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2014.03.011
DO - 10.1016/j.cose.2014.03.011
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:84902267737
SN - 0167-4048
VL - 44
SP - 33
EP - 50
JO - Computers and Security
JF - Computers and Security
ER -