Transparent Database Encryption (TDE)
Transparent Database Encryption is a technique for encrypting sensitive data within a database. If physical media (such as backup tapes or storage drives) are stolen, a database can typically be restored, and sensitive data might be accessed. However, with Transparent Database Encryption – also commonly referred to as TDE – sensitive data within a database is secured, such that data at rest is rendered useless to unauthorized users without the need for changing existing applications.
Enterprises often deploy a TDE solution to comply with data protection regulations or industry standards, such as PCI DSS, however it is important to protect and manage the encryption keys to prevent anyone without the keys from accessing the clear data. TDE uses a database encryption key (DEK), a symmetric key secured by a certificate, or an asymmetric key protected by an outside key management solution like EncryptRIGHT®. EncryptRIGHT works with the embedded encryption functionality within Oracle and MS SQL databases to provide optimal TDE performance with the benefit of improved key management, as a single key wallet across multiple databases. EncryptRIGHT supports TDE via Encryption Key Manager (EKM) for MS SQL databases in Windows environments and via PKCS#11 for Oracle databases in Windows, Linux and Solaris environments. EncryptRIGHT also supports TDE with broader data protection functionality for DB2 databases in IBM i environments.
Where TDE is Vulnerable
While applying transparent database encryption across multiple databases in conjunction with a strong key management solution such as EncryptRIGHT does help to protect data at rest and comply with many laws, regulations, and guidelines established in various industries, TDE does not address protecting data in use.
In TDE environments, secure data is typically decrypted and passed to an authorized application in the clear (unprotected). This security vulnerability can be particularly costly since most data breaches occur at the application layer, where data in use is more exposed and susceptible to breach. While EncryptRIGHT can support both approaches, application level encryption tends to provide a more secure and comprehensive data protection solution when compared to TDE.