In the series titled "A Deeper Look At Sybase", I'd like to look at one specific feature of Sybase ASE for data security.
One of the many features of Sybase ASE is the ability to encrypt individual columns of a database table.
With Sybase's footprint in the financial industry, it is not surprising that Sybase customers require an in-database solution for data security. But frankly, it is hard to imagine any real-life system today where data security would not be important.
Indeed, data encryption may sound like a no-brainer: who would not want to improve his data security? But as we'll see, making such functionality available in a way that is practically usable in real-life systems is in fact not trivial at all.
First, let's observe that most data items in a database are usually not very sensitive. Typically, there are only a few columns worth protecting. Common examples are a credit card number (for obvious reasons), or (in the USA) a Social Security Number (since these are targets for identity thieves). You can probably think of a few other ones.
In contrast, things like an address or ZIP code are usually less sensitive. Although admittedly, depending on the context in which data is used, that could be different.
By encrypting only those columns that need protecting, we can avoid wasting computing resources. If we simply encrypted the entire database instead, this would cost more CPU (for encrypt/decrypt) and storage (since encrypted data occupies more space) than necessary for only the sensitive table columns.
One of the reasons why Sybase customers use ASE column encryption is the PCI DSS standard (short for "Payment Card Industry Data Security Standard"). At some point, the credit card industry got tired of indemnifying customers whose credit card details got stolen from someone's database, and they mandated that if you were to store details about their credit cards, you had to protect the data against theft. The PCI DSS standard lays out a number of measures you must take in order to comply. One aspect of the standard is in-database encryption of credit card data (more details about PCI are here).
In-database column encryption in Sybase ASE was designed to meet all of the following goals:
In addition, based on customer feedback on the first version of ASE column encryption, an additional requirement surfaced that was implemented in ASE version 15.0.2. Customers wanted to be able to protect data from being accessed by the all-powerful database administrators (DBA), who traditionally have full access rights to any data (makes you wonder: what did those DBAs do to earn this sort of confidence from their paymasters? I know I'm innocent!)
At first sight, some of the above goals would seem to be contradictory. It sounds almost too good to be true, but ASE's column encryption does indeed achieve all of the above. Rather than discussing all technical aspects in full detail, let me just give an example.
Ignoring some one-time configuration steps, the first thing to do is to create an encryption key. This creates an AES 256-bit key named cc_key:
create encryption key cc_key for AES with keylength 256
You can create as many keys as you like. Keys are generated inside the ASE server through certified 3rd-party crypto libraries. Also, the generated key is stored in the ASE database -- but it is itself encrypted first (simply put, with a database-level encryption key entered by the DBA). This way, the actual encryption itself cannot be easily extracted from the database which makes it much more difficult for bad-character folks to do any damage.
An encryption key is used to encrypt a column. Here, we're encrypting only the credit card number. In this example, the card type and the name on the card are not considered sensitive and therefore not encrypted. However, those columns could simply be encrypted as well (with the same encryption key or with a different one):
create table Ccard (
custname char(30),
cardtype char(10),
cardno char(19) encrypt with cc_key
decrypt_default 'xxxx-xxxx-xxxx-xxxx' )
I'll get back to the decrypt_default clause in a minute.
First, an essential part of ASE's encryption solution is a separate decrypt permission which is required in order to read encrypted data. This permission should obviously only be assigned to those users or roles that need this access.
For example:
grant select on Ccard to public
grant decrypt on Ccard(cardno) to fraud_detection_role
In this example, only users who have been granted the role fraud_detection_role will now be allowed to decrypt the encrypted credit card numbers.
At this point, any queries against the Ccard table will automatically encrypt the credit card number value when inserting a new row, and automatically decrypt it when an authorised user selects a credit card number. The SQL statements to access the table are exactly the same as when no columns would be encrypted.
The importance of this application transparency cannot be overstated. Just imagine you would be forced to modify all SQL code accessing a table when you decide to encrypt a column: this would not be realistic for most real-life systems.
So, what happens when a user without decrypt permission tries to retrieve a credit card number? Instead of an error, the unprivileged user will retrieve a value of 'xxxx-xxxx-xxxx-xxxx', as defined by the decrypt_defaultclause. This allows existing SQL code to run without disclosing sensitive data to non-authorised users.
The example above illustrates the basic concept of ASE column encryption.
Security can be improved further though. For example, you may need to ensure those rogue DBAs don't run off with a list of credit card numbers.
To achieve this, Sybase ASE allows you to restrict access to encrypted columns to specific users only. Anyone else, regardless of their privileges, will not be able to access the encrypted data.
This works as follows (I'm not including a code example here since this would require too many details to be explained for this blog):
In a nutshell, this is how to tie access to encrypted columns to specific users only. There's much more to say about this topic -- search the ASE documentationfor "login association" if you want full details).
ASE column encryption is a truly unique feature; other database vendors provide in-database encryption functionality as well, but no database except Sybase ASE has managed to combine all of the requirements described earlier.
With ASE's column encryption feature, Sybase/SAP brings strong data security to mission-critical enterprise systems.
Some final notes:
For more information on ASE column encryption, go to the product pages at sybase.com.
For full technical details, check out the ASE column encryption documentation.