Native Apps At The Client & Cloud

Srinivasan Sundara Rajan

Subscribe to Srinivasan Sundara Rajan: eMailAlertsEmail Alerts
Get Srinivasan Sundara Rajan: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Cloud Computing, Cloud Security Journal , Cloud Development Tools, Big Data on Ulitzer


Cloud Computing: Protecting Data at Rest in Public Clouds

Middleware vs RDBMS

Protecting Data at Rest
One of the important concerns on utilizing the public cloud and the SaaS-based service model is about ‘How to protect the data at rest,' which means organizations are worried about how the data is protected in a public cloud scenario, and when the data centers are physically away from the enterprise.

There are multiple methods organizations can adopt to protect data at rest. Each of the following methods are complimentary in securing the data.

  • Isolating the Databases for individual Tenants, such that each tenant data is protected from others
  • Adopting Access Control Mechanisms like ‘Fine Grained Authorization' so that each application user sees only the data that they are authorized to see
  • One of the most popular options is the Encryption. Encryption is a core requirement for protecting and controlling access to data-at-rest in the cloud.

Encryption Options (On-Premise Middlware vs Database)
There are multiple ways encryption of data on public cloud can be managed.

  • Using a full-fledged middleware product like TrendMicro ‘SecureCloud'
  • Utilizing the features of the Data Base platform like Oracle.

Middleware Products Like TrendMicro ‘SecureCloud'
Trend Micro SecureCloud provides security for virtualized environments and public and private cloud infrastructures. Data is encrypted on a virtual machine before being written to storage and decrypted when read back. The keys for the encryption are stored off site and delivered when required.

  • SecureCloud encrypts customer data in real-time when putting the information into data storage
  • When the virtual machine image boots up, it uses the Runtime Agent to provide its credentials to SecureCloud Management Server, and request an encryption and decryption key along with the appropriate information to connect to data storage.
  • SecureCloud provides and maintains your encryption keys. The virtual machine image does not store encryption or decryption keys.
  • SecureCloud provides a data encryption layer within a virtual machine image to decrypt customer data in real-time after the appropriate credentials have been validated.
  • The Runtime agent, which needs to be installed along with the Virtual Machine Image on the cloud checks for the integrity checks and performs encryption and decryption functionalities
  • We can Back up our encrypted data just as though it were unencrypted. Restore this data to a device and then mount this device to a machine image running the SecureCloud agent.

Further information about the product can be obtained from their site,

Native Database Encryption on Databases Like Oracle
The popular database Oracle 11g has many features to support the encryption of data.

Transparent data encryption (TDE) encrypts data before it is written to storage and automatically decrypts data when reading it from storage without any changes to existing applications - no triggers, views or other costly changes.

  • TDE supports two modes: table space encryption and column encryption. TDE table space encryption, introduced with Oracle Database 11g, provides an efficient solution for encrypting entire application tables.
  • You can encrypt individual table columns that contain sensitive data. Examples of sensitive data include social security numbers, credit card numbers, and medical records. Column encryption is transparent to your applications, with some restrictions.
  • Transparent data encryption is a key-based access control system. Even if the encrypted data is retrieved, it cannot be understood until authorized decryption occurs, which is automatic for users authorized to access the table.
  • The wallet is an operating system file located outside the database. The database uses the wallet to store the master encryption key.

Transparent data encryption has a minimal impact on performance. Transparent data encryption column encryption affects performance only when data is retrieved from or inserted into an encrypted column. There is no impact on performance for operations involving unencrypted columns, even if these columns are in a table containing encrypted columns.

In SQL Server also, with the introduction of transparent data encryption (TDE) in SQL Server 2008, users now have the choice between cell-level encryption as in SQL Server 2005, full database-level encryption by using TDE, or the file-level encryption options provided by Windows. TDE is the optimal choice for bulk encryption to meet regulatory compliance or corporate data security standards.

Comparison Between Options
With enterprises having a choice to implement encryption using middleware option like ‘Trend Micro SecureCloud' or using advanced database features like TDE in oracle, the following chart explains when each option would be useful.

Middleware Encryption (SecureCloud)

Database Level Encryption (Oracle TDE)

Middleware Solution like SecureCloud, works at VM Level  and encrypts all the contents of the storage,  data, metadata and associated structures without impacting application functionality

Works at the database level  and  encrypts objects stored inside the database, and will not affect metadata and other unstructured documents stored outside of database

No optionto encrypt specific tables or columns at a  database level, which means over head in encrypting all the storage

In most situations, there are specific information like PII (Personally Identifiable Information) or financial data like credit card that needs to be encrypted, and hence column level encryption is more efficient while meeting the compliance needs.

Centralized administration facilitates  a common policy and framework for all kinds of data stores.

Database specific and involves separate efforts for each individual database platforms like Oracle and Sql Server

The agent  invokes the encryption policies at run time, which makes  the  encryption logic tightly coupled with the middleware, and the decryption may fail if the database needs to be restored in a different region  or  to a non cloud environment, unless Agent  is properly setup.

As it is fully integrated with the database ,databases can be moved between  Cloud Environments or  Non Cloud Environments,  without  worrying for decryption needs

Performance issues possible due to  the complete decryption of the storage medium

Performance impacts are minimal  as the database platform efficiently  handles the encryption and decryption based on only those columns  marked for encryption

May require extensive testing  when other  database access technologies like  JDBC,, SOAP  are involved in the picture, as the functioning  of the over all encryption framework needs to be tested  and how the agent integrates with the access methodologies.

Database encryption is expected to work consistently across multiple access protocols.

Requires setting up of On Premise  key management server and  Agents at the Virtual machine instance.

Requires setting up of  options like Wallet  and other database configuration  options for  password management.

The need for encrypting data that is stored on public cloud platform is fully realized by enterprises, as it has got direct legal implications and the credibility of the organization at stake. As mentioned we may have multiple options like either using specialized middleware platform like ‘Trend Micro' SecureCloud or specialized database features like Oracle TDE. As evident from the above chart each has its own advantages and specific needs of the enterprise will ultimately facilitate selection of a particular option.

More Stories By Srinivasan Sundara Rajan

Highly passionate about utilizing Digital Technologies to enable next generation enterprise. Believes in enterprise transformation through the Natives (Cloud Native & Mobile Native).