TDE As Security Theater

Randolph West argues that Transparent Data Encryption is not security theater:

The short version is that our data, log and backup files are encrypted at rest (i.e., on the storage layer), so that an attacker cannot simply copy and attach the data and log files, or restore a backup, without having access to the master key. If backup tapes or drives are stolen, the data on those devices cannot be recovered.

We can also use what is known as a Hardware Security Module (HSM) to provide keys to secure the database. This is a dedicated physical or virtual device, separate from SQL Server, that generates keys for various services in an organization.

Read on for Randolph’s argument.  For the counter-argument, check out Simon McAuliffe’s article on the topic.  Over the past couple of years, I’ve grown much more sympathetic to the idea that TDE’s primary use case is in weeding out the rabble-rousers with nary a clue, but it’s not very helpful against a knowledgeable attacker with administrative access to your SQL Server.

Related Posts

Active Directory Management With Powershell

Jana Sattainathan walks us through a few AD management scenarios using the Powershell Active Directory module: If you are an AD admin, you are very likely a pro at managing AD group membership but for mere mortals, this can be a tedious task. Please read on to find out what I am talking about and […]

Read More

Meltdown Performance Effects On Cassandra

The folks at Instaclustr have done some analysis on how Meltdown has affected Cassandra performance on AWS: In our Security Advisory published 8 January, we advised of up to 20% increase in CPU utilization and small increase in latency across managed clusters in AWS and GCP following the rollout of the patches to the cloud provider hypervisors. […]

Read More

Categories

November 2017
MTWTFSS
« Oct Dec »
 12345
6789101112
13141516171819
20212223242526
27282930