There are numerous types of database encryption methods in the market. Yet, many can’t decide which solution would best suit their DBMS environment. The answer lies in the understanding about the different kinds of database encryption method and how each one can be applied to different layers and environment.
The four major types of database encryption are: Business Application Encryption (BA), DBMS Application Encryption (DA), DBMS Package Encryption (DP), and DBMS Engine Encryption (DE). Each database encryption takes place at separate layers and often have different functionality and requirements. Figure 1 is conceptualized to explain the many layers encryption can take place at.
Fig 1. Integration points in IT system architecture
1) Business Application Encryption (BA)
Business application encryption is a type of DB encryption that is similar to the existing term ‘API Method’. BA encryption applies encryption/decryption API on the application or business application server and is applicable to all DBMS without restriction. Although the BA encryption method does not impose additional burden to the DBMS, encryption process can, however, be quite time-consuming because every query related to the encryption data must be modified before the data enter the database.
2) DBMS Application Encryption (DA)
This type of DB encryption performs encryption/decryption by applying a DBMS product module as a form of API. Similar to the BA encryption method mentioned above, DA is applicable to various DBMS. While query modification is similar, the computational burden of encryption/decryption does not get transferred to the database server because it can be managed from the DBMS administration tool. Moreover, DA addresses security threats that occur in the network section within the network environment. The downside to this encryption method is the need to carry out a certain level of application modification.
3) DBMS Package Encryption (DP)
Regarded as the “Plug-In Method”, this encryption method performs encryption/decryption by installing a product module onto the DBMS. Since the module is installed on the DBMS as a form of package, DP encryption method can support indexing of encrypted columns and can be implemented easily without additional query modifications. Also, audit functions through GUI and access control can be provided as an integrated security function. Unlike the API method, this encryption package in DBMS works independently of the application and requires less modification to the query and code making it a flexible option for both commercial DBMS and open source databases.
4) DBMS Engine Encryption (DE)
Lastly, the engine encryption method or DE is the most evolved form of DB encryption methods. Since encryption/decryption is performed at the engine-level of the DBMS, implementation is the easiest and fast encryption/decryption performance is also faster compared to others. Because this method requires engine-level modification, it can only be provided in a few cases. First, by DBMS vendors. Second, provided through open source DBMS such as MySQL or MariaDB. Third, by collaboration between database encryption companies and database companies. In case of solutions provided by DBMS vendors, such as Oracle’s TDE or SQL Server TDE, only encryption functions will be available without the access control or audit functions. To apply integrated security, a separate package to needs to be purchased and applied. Another term that describes this type of database encryption method is ‘Transparent Data Encryption Method’.