locked
SQL Server and Encryption RRS feed

  • Question

  • Hi Experts,

    I have tasked to look for a tokenization system to overcome the shorten coming from the application to apply any of SQL Server build-in techniques (Such as always encrypted ) we are exposed to almost all limitations imposed by always encrypted, so we have moved to look for trusted tokenization system (HW or SW) and can be implemented and be transparent for application.

    Thanks

    Thursday, November 3, 2016 3:13 PM

Answers

  • You might already know this but just in case: tokenization is not necessarily transparent to the application either and may have the same performance impact. It could certainly be much simpler and have much lower impact but not always so tread carefully and test, test, test.

    That said, there are quite a few reputable vendors in this space including protegrity, vormetric (thales), gemalto, etc..I've only casually looked into them so I have no recommendations. https://securosis.com/research/papers/understanding-and-selecting-a-tokenization-solution is a good starting point if you don't have clear selection criteria. It's written by a security solutions vendor but it does have contributors from other vendors/competitors so it's less skewed than other such articles.


    No great genius has ever existed without some touch of madness. - Aristotle

    • Marked as answer by SQL Kitchen Tuesday, November 8, 2016 3:42 PM
    Thursday, November 3, 2016 7:27 PM

All replies

  • There is not a really good solution here. You can encrypt columns, but then can't put useful indexes on them (unless you use hashbytes), and there is the decryption cost. If you store your key references in the stored procedures your dbas and dev can read them by cracking open your stored procedures and function or by running a trace. What EKM will do for you is to store your keys off server and manage them and refresh the passwords.

    What are your encryption goals?

    Thursday, November 3, 2016 3:19 PM
  • we need to compliance with PCI certificate ,

    and must encrypt all columns hold sensitive data according to PCI , the main problem with encryption is we must do major changes in the applications as per our assessment done


    • Edited by SQL Kitchen Thursday, November 3, 2016 4:22 PM
    Thursday, November 3, 2016 4:20 PM
  • Why won't encrypted columns with an EKM work for you? I don't think you want TDE because anyone accessing SQL server can read your data.
    Thursday, November 3, 2016 4:33 PM
  • You might already know this but just in case: tokenization is not necessarily transparent to the application either and may have the same performance impact. It could certainly be much simpler and have much lower impact but not always so tread carefully and test, test, test.

    That said, there are quite a few reputable vendors in this space including protegrity, vormetric (thales), gemalto, etc..I've only casually looked into them so I have no recommendations. https://securosis.com/research/papers/understanding-and-selecting-a-tokenization-solution is a good starting point if you don't have clear selection criteria. It's written by a security solutions vendor but it does have contributors from other vendors/competitors so it's less skewed than other such articles.


    No great genius has ever existed without some touch of madness. - Aristotle

    • Marked as answer by SQL Kitchen Tuesday, November 8, 2016 3:42 PM
    Thursday, November 3, 2016 7:27 PM