Would encrypting a database protect against a compromised admin account?Encrypting Fields in DatabaseAnonymiszing sensitive data in MySQL DB while retaining searchabilityAny ways to protect my user data on company computers?Proper credit card encryption for use in a blacklistIs this a sensible way to encrypt user data?Securely storing bank account details in databaseSecuring administration networkMost secure way to deliver web app for offline accessEncrypting unique fields in a DatabaseWould removing spaces in a string protect against SQL injection?
How to select certain lines (n, n+4, n+8, n+12...) from the file?
How to compare d20+x with advantage to d20+y without advantage (x < y)
Is it bad writing or bad story telling if first person narrative contains more information than the narrator knows?
The concept of information structure in incomplete information games
Any suggestions on how to make this table prettier and suggestions on whether it's better to make it fit in 1 or 2 columns
My perfect evil overlord plan... or is it?
Removing all characters except digits from clipboard
Windows OS quantum vs. SQL OS Quantum
Getting a error after using setState with a promise
Cryptography and elliptic curves
Thesis' "Future Work" section – is it acceptable to omit personal involvement in a mentioned project?
What is wrong with my code? RGB potentiometer
Is there an application which does HTTP PUT?
No such column 'DeveloperName' on entity 'RecordType' after Summer '19 release on sandbox
Examples where existence is harder than evaluation
Is every story set in the future "science fiction"?
How to get a ellipse shaped node in Tikz Network?
How is CoreiX like Corei5, i7 is related to Haswell, Ivy Bridge?
What was the plan for an abort of the Enola Gay's mission to drop the atomic bomb?
Renting a house to a graduate student in my department
Why did Captain America age?
Why was wildfire not used during the Battle of Winterfell?
Is there any evidence to support the claim that the United States was "suckered into WW1" by Zionists, made by Benjamin Freedman in his 1961 speech
Why can't I prove summation identities without guessing?
Would encrypting a database protect against a compromised admin account?
Encrypting Fields in DatabaseAnonymiszing sensitive data in MySQL DB while retaining searchabilityAny ways to protect my user data on company computers?Proper credit card encryption for use in a blacklistIs this a sensible way to encrypt user data?Securely storing bank account details in databaseSecuring administration networkMost secure way to deliver web app for offline accessEncrypting unique fields in a DatabaseWould removing spaces in a string protect against SQL injection?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I was discussing with someone ways to prevent data disclosure from a compromised admin account on a database server. The other person proposed encrypting the data at rest within the database. It sounds like a good idea, but I wasn't sure if that would protect the data in this scenario.
My thinking is if the attacker has an admin account, they'll also have the ability to access the encryption key. In a typical configuration, would this be the case? Could the system be engineered so that it wouldn't, while still being practical to administer and use? I could see having the admin provide the key when they log in, but I am ignorant on the security implications of that...
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database. I understand MFA and other access controls would protect here, but assume they've failed or otherwise been circumvented. I'm merely curious of encryption's effect here.
Now I realize this would definitely come down to implementation specific details, however I am not super familiar with database administration, so I'm struggling to provide a detailed setup for a hypothetical system.
encryption databases system-compromise
asked 7 hours ago
Kevin MirskyKevin Mirsky
3888
add a comment |
I was discussing with someone ways to prevent data disclosure from a compromised admin account on a database server. The other person proposed encrypting the data at rest within the database. It sounds like a good idea, but I wasn't sure if that would protect the data in this scenario.
My thinking is if the attacker has an admin account, they'll also have the ability to access the encryption key. In a typical configuration, would this be the case? Could the system be engineered so that it wouldn't, while still being practical to administer and use? I could see having the admin provide the key when they log in, but I am ignorant on the security implications of that...
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database. I understand MFA and other access controls would protect here, but assume they've failed or otherwise been circumvented. I'm merely curious of encryption's effect here.
Now I realize this would definitely come down to implementation specific details, however I am not super familiar with database administration, so I'm struggling to provide a detailed setup for a hypothetical system.
encryption databases system-compromise
asked 7 hours ago
Kevin MirskyKevin Mirsky
3888
3
A subtle point to be made here is that you're using "admin" in the sense of "a single, all powerful role' whereas, in organizations that are large and sensitive enough, it's very common to segregate duties very strictly around sensitive data, such that the damage done by one single set of credentials is narrow.
– dwizum
5 hours ago
Just wanted to add: your threat model is a bit narrow. I mean, if the DB Admin's account gets hacked, it's not like stuff like Application Level Encryption or User Provided Keys will save the day. You're still getting Ransomware'd, or DOS'ed, or Rooted, etc.
– Kevin
3 hours ago
Related, see Homomorphic Encryption and Semi-Homomorphic Encryption. Using HE or SHE you can [theoretically] encrypt the fields in the database tables and still compute on them, like SELECT and ORDER BY. The data would be safe from admins at Amazon, Dropbox, Salesforce, etc. The cloud would only have the encrypted data. The data would likely be breached by an admin within the organization, however. A local admin with access to private key can decrypt the query results.
– jww
1 hour ago
add a comment |
I was discussing with someone ways to prevent data disclosure from a compromised admin account on a database server. The other person proposed encrypting the data at rest within the database. It sounds like a good idea, but I wasn't sure if that would protect the data in this scenario.
My thinking is if the attacker has an admin account, they'll also have the ability to access the encryption key. In a typical configuration, would this be the case? Could the system be engineered so that it wouldn't, while still being practical to administer and use? I could see having the admin provide the key when they log in, but I am ignorant on the security implications of that...
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database. I understand MFA and other access controls would protect here, but assume they've failed or otherwise been circumvented. I'm merely curious of encryption's effect here.
Now I realize this would definitely come down to implementation specific details, however I am not super familiar with database administration, so I'm struggling to provide a detailed setup for a hypothetical system.
encryption databases system-compromise
asked 7 hours ago
Kevin MirskyKevin Mirsky
3888
I was discussing with someone ways to prevent data disclosure from a compromised admin account on a database server. The other person proposed encrypting the data at rest within the database. It sounds like a good idea, but I wasn't sure if that would protect the data in this scenario.
My thinking is if the attacker has an admin account, they'll also have the ability to access the encryption key. In a typical configuration, would this be the case? Could the system be engineered so that it wouldn't, while still being practical to administer and use? I could see having the admin provide the key when they log in, but I am ignorant on the security implications of that...
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database. I understand MFA and other access controls would protect here, but assume they've failed or otherwise been circumvented. I'm merely curious of encryption's effect here.
Now I realize this would definitely come down to implementation specific details, however I am not super familiar with database administration, so I'm struggling to provide a detailed setup for a hypothetical system.
encryption databases system-compromise
encryption databases system-compromise
asked 7 hours ago
Kevin MirskyKevin Mirsky
3888
asked 7 hours ago
Kevin MirskyKevin Mirsky
3888
edited 6 hours ago
Kevin Mirsky
asked 7 hours ago
Kevin MirskyKevin Mirsky
3888
asked 7 hours ago
Kevin MirskyKevin Mirsky
3888
asked 7 hours ago
Kevin MirskyKevin Mirsky
3888
3888
3
A subtle point to be made here is that you're using "admin" in the sense of "a single, all powerful role' whereas, in organizations that are large and sensitive enough, it's very common to segregate duties very strictly around sensitive data, such that the damage done by one single set of credentials is narrow.
– dwizum
5 hours ago
Just wanted to add: your threat model is a bit narrow. I mean, if the DB Admin's account gets hacked, it's not like stuff like Application Level Encryption or User Provided Keys will save the day. You're still getting Ransomware'd, or DOS'ed, or Rooted, etc.
– Kevin
3 hours ago
Related, see Homomorphic Encryption and Semi-Homomorphic Encryption. Using HE or SHE you can [theoretically] encrypt the fields in the database tables and still compute on them, like SELECT and ORDER BY. The data would be safe from admins at Amazon, Dropbox, Salesforce, etc. The cloud would only have the encrypted data. The data would likely be breached by an admin within the organization, however. A local admin with access to private key can decrypt the query results.
– jww
1 hour ago
add a comment |
3
A subtle point to be made here is that you're using "admin" in the sense of "a single, all powerful role' whereas, in organizations that are large and sensitive enough, it's very common to segregate duties very strictly around sensitive data, such that the damage done by one single set of credentials is narrow.
– dwizum
5 hours ago
Just wanted to add: your threat model is a bit narrow. I mean, if the DB Admin's account gets hacked, it's not like stuff like Application Level Encryption or User Provided Keys will save the day. You're still getting Ransomware'd, or DOS'ed, or Rooted, etc.
– Kevin
3 hours ago
Related, see Homomorphic Encryption and Semi-Homomorphic Encryption. Using HE or SHE you can [theoretically] encrypt the fields in the database tables and still compute on them, like SELECT and ORDER BY. The data would be safe from admins at Amazon, Dropbox, Salesforce, etc. The cloud would only have the encrypted data. The data would likely be breached by an admin within the organization, however. A local admin with access to private key can decrypt the query results.
– jww
1 hour ago
3
3
A subtle point to be made here is that you're using "admin" in the sense of "a single, all powerful role' whereas, in organizations that are large and sensitive enough, it's very common to segregate duties very strictly around sensitive data, such that the damage done by one single set of credentials is narrow.
– dwizum
5 hours ago
A subtle point to be made here is that you're using "admin" in the sense of "a single, all powerful role' whereas, in organizations that are large and sensitive enough, it's very common to segregate duties very strictly around sensitive data, such that the damage done by one single set of credentials is narrow.
– dwizum
5 hours ago
Just wanted to add: your threat model is a bit narrow. I mean, if the DB Admin's account gets hacked, it's not like stuff like Application Level Encryption or User Provided Keys will save the day. You're still getting Ransomware'd, or DOS'ed, or Rooted, etc.
– Kevin
3 hours ago
Just wanted to add: your threat model is a bit narrow. I mean, if the DB Admin's account gets hacked, it's not like stuff like Application Level Encryption or User Provided Keys will save the day. You're still getting Ransomware'd, or DOS'ed, or Rooted, etc.
– Kevin
3 hours ago
Related, see Homomorphic Encryption and Semi-Homomorphic Encryption. Using HE or SHE you can [theoretically] encrypt the fields in the database tables and still compute on them, like SELECT and ORDER BY. The data would be safe from admins at Amazon, Dropbox, Salesforce, etc. The cloud would only have the encrypted data. The data would likely be breached by an admin within the organization, however. A local admin with access to private key can decrypt the query results.
– jww
1 hour ago
Related, see Homomorphic Encryption and Semi-Homomorphic Encryption. Using HE or SHE you can [theoretically] encrypt the fields in the database tables and still compute on them, like SELECT and ORDER BY. The data would be safe from admins at Amazon, Dropbox, Salesforce, etc. The cloud would only have the encrypted data. The data would likely be breached by an admin within the organization, however. A local admin with access to private key can decrypt the query results.
– jww
1 hour ago
add a comment |
4 Answers
4
active
oldest
votes
Yes, such a system exists; it's called Application-Level Encryption. Under that system the encryption keys (or at least the Key-Encrypting Key, or KEK) are only available to the application. Data is encrypted by the application before being stored in the database, and encrypted blobs are retrieved from the database to be decrypted by the application.
The advantage of this is a sort of dual control - the DBAs, who can perform bulk actions against the entire database without much limitation - can only extract encrypted data. The application administrators, who hold the KEK, can decrypt anything in the database, but are limited to approved interfaces which may work piecemeal but not in bulk. It makes abuse of the decrypted data harder to perform and easier to detect.
There are disadvantages as well, primarily the inability to index or search upon plaintext characteristics of the encrypted data in the database. Also, it requires the application and database be written to support it; unlike whole-disk or whole-database encryption it's not as easy as flipping a switch.
answered 6 hours ago
gowenfawrgowenfawr
55.5k11117165
Good point and could be the best solution in the right situation...but I hope it is a small dataset and you don't have a large number of different applications that need to access it.
– DarkMatter
6 hours ago
@DarkMatter I've seen it done successfully with a large dataset and multiple applications; it depends on the usage profile. It would be completely inappropriate for, say, data mining. But for transactional data or anything where there's sufficient non-sensitive metadata to use to address the sensitive data, it works just fine.
– gowenfawr
5 hours ago
1
A benefit to application level encryption is that it allows you to be selective. You can choose to encrypt something sensitive (a field containing SSNs) but not encrypt things that are less sensitive. So - @DarkMatter - you get the flexibility to work around performance or access needs vs security.
– dwizum
5 hours ago
It would also render a lot of the features useless e.g. range indexing and aggregations (for a relational DB) or am I missing something?
– JimmyJames
4 hours ago
@JimmyJames I don't really see why it would necessarily. To the database, it's all the same. As stored, the data looks like gobbledygook to a human viewer, but the database doesn't really care as long as it's all gobbledygook. Since in this scenario the application is responsible for performing the encryption and decryption, it would be. Yes, you lose some potential flexibility, performance, etc., but that's the usual tradeoff where especially confidentiality (and to some extent also availability and integrity) is concerned.
– a CVn
4 hours ago
|
show 2 more comments
On a database server, two different admin accounts can exist: the system admin account(s) and the database admin accounts. @gowenfawr's answer already addresses the database admin case, so I will focus on the system admin one.
In that case, you have lost. It is not possible to protect a machine from its administrator, because they have a full access on any file on the system. As a server normally supports unattended reboots, the application will have to be able to extract the database decryption key, and someone with admin priviledges should be able to extract that key too, because it could impersonate the application user.
There are some possible mitigation ways. One is when the data is encrypted client side. In that case, the application only processes encrypted data with no possible access to the clear text one, so even with full access to the machine and to the database it is not possible to decrypt anything. This is a very secure but rather inconvenient way: if users lose their key, the data is definitely lost. Because of that, system admins are generally very reluctant to a security model that ignores them.
Any other way can only be obfuscation: the key or at least the decrypting procedure has to be accessible to the machine. It can be made very complex to find it so that you can hope being able to close the door before the attacker could really extract any clear text data, but it only make sense if you have a global security system which analyses even apparently legitimate accesses to raise warning when an account is used in an unusual way. You end in the classical threat-risk/mitigation-cost question...
answered 6 hours ago
Serge BallestaSerge Ballesta
17.8k33062
1
This is only really relevant if the app is residing on the same server. You can be system admin of the host holding the DB... but if you're not admin of the box holding the apps that interface in with it, you won't be able to decrypt the DBs contents. For example, if I have \HostDB and \HostApp, and the \HostDB's admin creds were compromised, if all the encrypting/decrypting was done on \HostApp, then the breach wouldn't expose any unencrypted data - because the attacker doesn't have any code/apps/etc that can read the data.
– Kevin
4 hours ago
add a comment |
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database.
Any remote connection to your network should be protected by 2FA (Especially any admin connection). This would mitigate your threat here. Furthermore, depending on the business needs I would like to dissallow access from the VPN VLAN to any VLAN which contains sensitive data such as the DB in question...this may be impossible if you are a virtual company.
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database. I understand MFA and other access controls would protect here, but assume they've failed or otherwise been circumvented. I'm merely curious of encryption's effect here.
As for the use of encryption...one could store encryption keys in a secure vault which gives role-based access on a need to know basis. This would mitigate the risk for the specific DB in question if this admin isn't the admin of this DB.
answered 7 hours ago
DarkMatterDarkMatter
2,4011121
1
"Any remote connection to your network should be protected by 2FA" -- Ah, I should've noted that in the question. I edited it to clarify. I'm aware of other ways to defend against compromised accounts, but I'm mostly curious as to whether the suggestion of encryption was a valid defense. Still, those answers are helpful to those who might come across this.
– Kevin Mirsky
6 hours ago
1
@KevinMirsky I edited to reflect the new threat model as well.
– DarkMatter
6 hours ago
add a comment |
If you're interested in looking at some bleeding edge research on the topic:
Patent 8504876 B2 Aug 6 2013
The thumbnail is that it uses machine learning to define normal use and can block or notify abnormal use, such as attempting to get everything, even by an admin.
Anomaly detection for database systems
answered 1 hour ago
user10216038user10216038
1,722310
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209857%2fwould-encrypting-a-database-protect-against-a-compromised-admin-account%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yes, such a system exists; it's called Application-Level Encryption. Under that system the encryption keys (or at least the Key-Encrypting Key, or KEK) are only available to the application. Data is encrypted by the application before being stored in the database, and encrypted blobs are retrieved from the database to be decrypted by the application.
The advantage of this is a sort of dual control - the DBAs, who can perform bulk actions against the entire database without much limitation - can only extract encrypted data. The application administrators, who hold the KEK, can decrypt anything in the database, but are limited to approved interfaces which may work piecemeal but not in bulk. It makes abuse of the decrypted data harder to perform and easier to detect.
There are disadvantages as well, primarily the inability to index or search upon plaintext characteristics of the encrypted data in the database. Also, it requires the application and database be written to support it; unlike whole-disk or whole-database encryption it's not as easy as flipping a switch.
answered 6 hours ago
gowenfawrgowenfawr
55.5k11117165
Good point and could be the best solution in the right situation...but I hope it is a small dataset and you don't have a large number of different applications that need to access it.
– DarkMatter
6 hours ago
@DarkMatter I've seen it done successfully with a large dataset and multiple applications; it depends on the usage profile. It would be completely inappropriate for, say, data mining. But for transactional data or anything where there's sufficient non-sensitive metadata to use to address the sensitive data, it works just fine.
– gowenfawr
5 hours ago
1
A benefit to application level encryption is that it allows you to be selective. You can choose to encrypt something sensitive (a field containing SSNs) but not encrypt things that are less sensitive. So - @DarkMatter - you get the flexibility to work around performance or access needs vs security.
– dwizum
5 hours ago
It would also render a lot of the features useless e.g. range indexing and aggregations (for a relational DB) or am I missing something?
– JimmyJames
4 hours ago
@JimmyJames I don't really see why it would necessarily. To the database, it's all the same. As stored, the data looks like gobbledygook to a human viewer, but the database doesn't really care as long as it's all gobbledygook. Since in this scenario the application is responsible for performing the encryption and decryption, it would be. Yes, you lose some potential flexibility, performance, etc., but that's the usual tradeoff where especially confidentiality (and to some extent also availability and integrity) is concerned.
– a CVn
4 hours ago
|
show 2 more comments
Yes, such a system exists; it's called Application-Level Encryption. Under that system the encryption keys (or at least the Key-Encrypting Key, or KEK) are only available to the application. Data is encrypted by the application before being stored in the database, and encrypted blobs are retrieved from the database to be decrypted by the application.
The advantage of this is a sort of dual control - the DBAs, who can perform bulk actions against the entire database without much limitation - can only extract encrypted data. The application administrators, who hold the KEK, can decrypt anything in the database, but are limited to approved interfaces which may work piecemeal but not in bulk. It makes abuse of the decrypted data harder to perform and easier to detect.
There are disadvantages as well, primarily the inability to index or search upon plaintext characteristics of the encrypted data in the database. Also, it requires the application and database be written to support it; unlike whole-disk or whole-database encryption it's not as easy as flipping a switch.
answered 6 hours ago
gowenfawrgowenfawr
55.5k11117165
Good point and could be the best solution in the right situation...but I hope it is a small dataset and you don't have a large number of different applications that need to access it.
– DarkMatter
6 hours ago
@DarkMatter I've seen it done successfully with a large dataset and multiple applications; it depends on the usage profile. It would be completely inappropriate for, say, data mining. But for transactional data or anything where there's sufficient non-sensitive metadata to use to address the sensitive data, it works just fine.
– gowenfawr
5 hours ago
1
A benefit to application level encryption is that it allows you to be selective. You can choose to encrypt something sensitive (a field containing SSNs) but not encrypt things that are less sensitive. So - @DarkMatter - you get the flexibility to work around performance or access needs vs security.
– dwizum
5 hours ago
It would also render a lot of the features useless e.g. range indexing and aggregations (for a relational DB) or am I missing something?
– JimmyJames
4 hours ago
@JimmyJames I don't really see why it would necessarily. To the database, it's all the same. As stored, the data looks like gobbledygook to a human viewer, but the database doesn't really care as long as it's all gobbledygook. Since in this scenario the application is responsible for performing the encryption and decryption, it would be. Yes, you lose some potential flexibility, performance, etc., but that's the usual tradeoff where especially confidentiality (and to some extent also availability and integrity) is concerned.
– a CVn
4 hours ago
|
show 2 more comments
Yes, such a system exists; it's called Application-Level Encryption. Under that system the encryption keys (or at least the Key-Encrypting Key, or KEK) are only available to the application. Data is encrypted by the application before being stored in the database, and encrypted blobs are retrieved from the database to be decrypted by the application.
The advantage of this is a sort of dual control - the DBAs, who can perform bulk actions against the entire database without much limitation - can only extract encrypted data. The application administrators, who hold the KEK, can decrypt anything in the database, but are limited to approved interfaces which may work piecemeal but not in bulk. It makes abuse of the decrypted data harder to perform and easier to detect.
There are disadvantages as well, primarily the inability to index or search upon plaintext characteristics of the encrypted data in the database. Also, it requires the application and database be written to support it; unlike whole-disk or whole-database encryption it's not as easy as flipping a switch.
answered 6 hours ago
gowenfawrgowenfawr
55.5k11117165
Yes, such a system exists; it's called Application-Level Encryption. Under that system the encryption keys (or at least the Key-Encrypting Key, or KEK) are only available to the application. Data is encrypted by the application before being stored in the database, and encrypted blobs are retrieved from the database to be decrypted by the application.
The advantage of this is a sort of dual control - the DBAs, who can perform bulk actions against the entire database without much limitation - can only extract encrypted data. The application administrators, who hold the KEK, can decrypt anything in the database, but are limited to approved interfaces which may work piecemeal but not in bulk. It makes abuse of the decrypted data harder to perform and easier to detect.
There are disadvantages as well, primarily the inability to index or search upon plaintext characteristics of the encrypted data in the database. Also, it requires the application and database be written to support it; unlike whole-disk or whole-database encryption it's not as easy as flipping a switch.
answered 6 hours ago
gowenfawrgowenfawr
55.5k11117165
edited 5 hours ago
answered 6 hours ago
gowenfawrgowenfawr
55.5k11117165
answered 6 hours ago
gowenfawrgowenfawr
55.5k11117165
answered 6 hours ago
gowenfawrgowenfawr
55.5k11117165
55.5k11117165
Good point and could be the best solution in the right situation...but I hope it is a small dataset and you don't have a large number of different applications that need to access it.
– DarkMatter
6 hours ago
@DarkMatter I've seen it done successfully with a large dataset and multiple applications; it depends on the usage profile. It would be completely inappropriate for, say, data mining. But for transactional data or anything where there's sufficient non-sensitive metadata to use to address the sensitive data, it works just fine.
– gowenfawr
5 hours ago
1
A benefit to application level encryption is that it allows you to be selective. You can choose to encrypt something sensitive (a field containing SSNs) but not encrypt things that are less sensitive. So - @DarkMatter - you get the flexibility to work around performance or access needs vs security.
– dwizum
5 hours ago
It would also render a lot of the features useless e.g. range indexing and aggregations (for a relational DB) or am I missing something?
– JimmyJames
4 hours ago
@JimmyJames I don't really see why it would necessarily. To the database, it's all the same. As stored, the data looks like gobbledygook to a human viewer, but the database doesn't really care as long as it's all gobbledygook. Since in this scenario the application is responsible for performing the encryption and decryption, it would be. Yes, you lose some potential flexibility, performance, etc., but that's the usual tradeoff where especially confidentiality (and to some extent also availability and integrity) is concerned.
– a CVn
4 hours ago
|
show 2 more comments
Good point and could be the best solution in the right situation...but I hope it is a small dataset and you don't have a large number of different applications that need to access it.
– DarkMatter
6 hours ago
@DarkMatter I've seen it done successfully with a large dataset and multiple applications; it depends on the usage profile. It would be completely inappropriate for, say, data mining. But for transactional data or anything where there's sufficient non-sensitive metadata to use to address the sensitive data, it works just fine.
– gowenfawr
5 hours ago
1
A benefit to application level encryption is that it allows you to be selective. You can choose to encrypt something sensitive (a field containing SSNs) but not encrypt things that are less sensitive. So - @DarkMatter - you get the flexibility to work around performance or access needs vs security.
– dwizum
5 hours ago
It would also render a lot of the features useless e.g. range indexing and aggregations (for a relational DB) or am I missing something?
– JimmyJames
4 hours ago
@JimmyJames I don't really see why it would necessarily. To the database, it's all the same. As stored, the data looks like gobbledygook to a human viewer, but the database doesn't really care as long as it's all gobbledygook. Since in this scenario the application is responsible for performing the encryption and decryption, it would be. Yes, you lose some potential flexibility, performance, etc., but that's the usual tradeoff where especially confidentiality (and to some extent also availability and integrity) is concerned.
– a CVn
4 hours ago
Good point and could be the best solution in the right situation...but I hope it is a small dataset and you don't have a large number of different applications that need to access it.
– DarkMatter
6 hours ago
Good point and could be the best solution in the right situation...but I hope it is a small dataset and you don't have a large number of different applications that need to access it.
– DarkMatter
6 hours ago
@DarkMatter I've seen it done successfully with a large dataset and multiple applications; it depends on the usage profile. It would be completely inappropriate for, say, data mining. But for transactional data or anything where there's sufficient non-sensitive metadata to use to address the sensitive data, it works just fine.
– gowenfawr
5 hours ago
@DarkMatter I've seen it done successfully with a large dataset and multiple applications; it depends on the usage profile. It would be completely inappropriate for, say, data mining. But for transactional data or anything where there's sufficient non-sensitive metadata to use to address the sensitive data, it works just fine.
– gowenfawr
5 hours ago
1
1
A benefit to application level encryption is that it allows you to be selective. You can choose to encrypt something sensitive (a field containing SSNs) but not encrypt things that are less sensitive. So - @DarkMatter - you get the flexibility to work around performance or access needs vs security.
– dwizum
5 hours ago
A benefit to application level encryption is that it allows you to be selective. You can choose to encrypt something sensitive (a field containing SSNs) but not encrypt things that are less sensitive. So - @DarkMatter - you get the flexibility to work around performance or access needs vs security.
– dwizum
5 hours ago
It would also render a lot of the features useless e.g. range indexing and aggregations (for a relational DB) or am I missing something?
– JimmyJames
4 hours ago
It would also render a lot of the features useless e.g. range indexing and aggregations (for a relational DB) or am I missing something?
– JimmyJames
4 hours ago
@JimmyJames I don't really see why it would necessarily. To the database, it's all the same. As stored, the data looks like gobbledygook to a human viewer, but the database doesn't really care as long as it's all gobbledygook. Since in this scenario the application is responsible for performing the encryption and decryption, it would be. Yes, you lose some potential flexibility, performance, etc., but that's the usual tradeoff where especially confidentiality (and to some extent also availability and integrity) is concerned.
– a CVn
4 hours ago
@JimmyJames I don't really see why it would necessarily. To the database, it's all the same. As stored, the data looks like gobbledygook to a human viewer, but the database doesn't really care as long as it's all gobbledygook. Since in this scenario the application is responsible for performing the encryption and decryption, it would be. Yes, you lose some potential flexibility, performance, etc., but that's the usual tradeoff where especially confidentiality (and to some extent also availability and integrity) is concerned.
– a CVn
4 hours ago
|
show 2 more comments
On a database server, two different admin accounts can exist: the system admin account(s) and the database admin accounts. @gowenfawr's answer already addresses the database admin case, so I will focus on the system admin one.
In that case, you have lost. It is not possible to protect a machine from its administrator, because they have a full access on any file on the system. As a server normally supports unattended reboots, the application will have to be able to extract the database decryption key, and someone with admin priviledges should be able to extract that key too, because it could impersonate the application user.
There are some possible mitigation ways. One is when the data is encrypted client side. In that case, the application only processes encrypted data with no possible access to the clear text one, so even with full access to the machine and to the database it is not possible to decrypt anything. This is a very secure but rather inconvenient way: if users lose their key, the data is definitely lost. Because of that, system admins are generally very reluctant to a security model that ignores them.
Any other way can only be obfuscation: the key or at least the decrypting procedure has to be accessible to the machine. It can be made very complex to find it so that you can hope being able to close the door before the attacker could really extract any clear text data, but it only make sense if you have a global security system which analyses even apparently legitimate accesses to raise warning when an account is used in an unusual way. You end in the classical threat-risk/mitigation-cost question...
answered 6 hours ago
Serge BallestaSerge Ballesta
17.8k33062
1
This is only really relevant if the app is residing on the same server. You can be system admin of the host holding the DB... but if you're not admin of the box holding the apps that interface in with it, you won't be able to decrypt the DBs contents. For example, if I have \HostDB and \HostApp, and the \HostDB's admin creds were compromised, if all the encrypting/decrypting was done on \HostApp, then the breach wouldn't expose any unencrypted data - because the attacker doesn't have any code/apps/etc that can read the data.
– Kevin
4 hours ago
add a comment |
On a database server, two different admin accounts can exist: the system admin account(s) and the database admin accounts. @gowenfawr's answer already addresses the database admin case, so I will focus on the system admin one.
In that case, you have lost. It is not possible to protect a machine from its administrator, because they have a full access on any file on the system. As a server normally supports unattended reboots, the application will have to be able to extract the database decryption key, and someone with admin priviledges should be able to extract that key too, because it could impersonate the application user.
There are some possible mitigation ways. One is when the data is encrypted client side. In that case, the application only processes encrypted data with no possible access to the clear text one, so even with full access to the machine and to the database it is not possible to decrypt anything. This is a very secure but rather inconvenient way: if users lose their key, the data is definitely lost. Because of that, system admins are generally very reluctant to a security model that ignores them.
Any other way can only be obfuscation: the key or at least the decrypting procedure has to be accessible to the machine. It can be made very complex to find it so that you can hope being able to close the door before the attacker could really extract any clear text data, but it only make sense if you have a global security system which analyses even apparently legitimate accesses to raise warning when an account is used in an unusual way. You end in the classical threat-risk/mitigation-cost question...
answered 6 hours ago
Serge BallestaSerge Ballesta
17.8k33062
1
This is only really relevant if the app is residing on the same server. You can be system admin of the host holding the DB... but if you're not admin of the box holding the apps that interface in with it, you won't be able to decrypt the DBs contents. For example, if I have \HostDB and \HostApp, and the \HostDB's admin creds were compromised, if all the encrypting/decrypting was done on \HostApp, then the breach wouldn't expose any unencrypted data - because the attacker doesn't have any code/apps/etc that can read the data.
– Kevin
4 hours ago
add a comment |
On a database server, two different admin accounts can exist: the system admin account(s) and the database admin accounts. @gowenfawr's answer already addresses the database admin case, so I will focus on the system admin one.
In that case, you have lost. It is not possible to protect a machine from its administrator, because they have a full access on any file on the system. As a server normally supports unattended reboots, the application will have to be able to extract the database decryption key, and someone with admin priviledges should be able to extract that key too, because it could impersonate the application user.
There are some possible mitigation ways. One is when the data is encrypted client side. In that case, the application only processes encrypted data with no possible access to the clear text one, so even with full access to the machine and to the database it is not possible to decrypt anything. This is a very secure but rather inconvenient way: if users lose their key, the data is definitely lost. Because of that, system admins are generally very reluctant to a security model that ignores them.
Any other way can only be obfuscation: the key or at least the decrypting procedure has to be accessible to the machine. It can be made very complex to find it so that you can hope being able to close the door before the attacker could really extract any clear text data, but it only make sense if you have a global security system which analyses even apparently legitimate accesses to raise warning when an account is used in an unusual way. You end in the classical threat-risk/mitigation-cost question...
answered 6 hours ago
Serge BallestaSerge Ballesta
17.8k33062
On a database server, two different admin accounts can exist: the system admin account(s) and the database admin accounts. @gowenfawr's answer already addresses the database admin case, so I will focus on the system admin one.
In that case, you have lost. It is not possible to protect a machine from its administrator, because they have a full access on any file on the system. As a server normally supports unattended reboots, the application will have to be able to extract the database decryption key, and someone with admin priviledges should be able to extract that key too, because it could impersonate the application user.
There are some possible mitigation ways. One is when the data is encrypted client side. In that case, the application only processes encrypted data with no possible access to the clear text one, so even with full access to the machine and to the database it is not possible to decrypt anything. This is a very secure but rather inconvenient way: if users lose their key, the data is definitely lost. Because of that, system admins are generally very reluctant to a security model that ignores them.
Any other way can only be obfuscation: the key or at least the decrypting procedure has to be accessible to the machine. It can be made very complex to find it so that you can hope being able to close the door before the attacker could really extract any clear text data, but it only make sense if you have a global security system which analyses even apparently legitimate accesses to raise warning when an account is used in an unusual way. You end in the classical threat-risk/mitigation-cost question...
answered 6 hours ago
Serge BallestaSerge Ballesta
17.8k33062
answered 6 hours ago
Serge BallestaSerge Ballesta
17.8k33062
answered 6 hours ago
Serge BallestaSerge Ballesta
17.8k33062
answered 6 hours ago
Serge BallestaSerge Ballesta
17.8k33062
17.8k33062
1
This is only really relevant if the app is residing on the same server. You can be system admin of the host holding the DB... but if you're not admin of the box holding the apps that interface in with it, you won't be able to decrypt the DBs contents. For example, if I have \HostDB and \HostApp, and the \HostDB's admin creds were compromised, if all the encrypting/decrypting was done on \HostApp, then the breach wouldn't expose any unencrypted data - because the attacker doesn't have any code/apps/etc that can read the data.
– Kevin
4 hours ago
add a comment |
1
This is only really relevant if the app is residing on the same server. You can be system admin of the host holding the DB... but if you're not admin of the box holding the apps that interface in with it, you won't be able to decrypt the DBs contents. For example, if I have \HostDB and \HostApp, and the \HostDB's admin creds were compromised, if all the encrypting/decrypting was done on \HostApp, then the breach wouldn't expose any unencrypted data - because the attacker doesn't have any code/apps/etc that can read the data.
– Kevin
4 hours ago
1
1
This is only really relevant if the app is residing on the same server. You can be system admin of the host holding the DB... but if you're not admin of the box holding the apps that interface in with it, you won't be able to decrypt the DBs contents. For example, if I have \HostDB and \HostApp, and the \HostDB's admin creds were compromised, if all the encrypting/decrypting was done on \HostApp, then the breach wouldn't expose any unencrypted data - because the attacker doesn't have any code/apps/etc that can read the data.
– Kevin
4 hours ago
This is only really relevant if the app is residing on the same server. You can be system admin of the host holding the DB... but if you're not admin of the box holding the apps that interface in with it, you won't be able to decrypt the DBs contents. For example, if I have \HostDB and \HostApp, and the \HostDB's admin creds were compromised, if all the encrypting/decrypting was done on \HostApp, then the breach wouldn't expose any unencrypted data - because the attacker doesn't have any code/apps/etc that can read the data.
– Kevin
4 hours ago
add a comment |
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database.
Any remote connection to your network should be protected by 2FA (Especially any admin connection). This would mitigate your threat here. Furthermore, depending on the business needs I would like to dissallow access from the VPN VLAN to any VLAN which contains sensitive data such as the DB in question...this may be impossible if you are a virtual company.
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database. I understand MFA and other access controls would protect here, but assume they've failed or otherwise been circumvented. I'm merely curious of encryption's effect here.
As for the use of encryption...one could store encryption keys in a secure vault which gives role-based access on a need to know basis. This would mitigate the risk for the specific DB in question if this admin isn't the admin of this DB.
answered 7 hours ago
DarkMatterDarkMatter
2,4011121
1
"Any remote connection to your network should be protected by 2FA" -- Ah, I should've noted that in the question. I edited it to clarify. I'm aware of other ways to defend against compromised accounts, but I'm mostly curious as to whether the suggestion of encryption was a valid defense. Still, those answers are helpful to those who might come across this.
– Kevin Mirsky
6 hours ago
1
@KevinMirsky I edited to reflect the new threat model as well.
– DarkMatter
6 hours ago
add a comment |
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database.
Any remote connection to your network should be protected by 2FA (Especially any admin connection). This would mitigate your threat here. Furthermore, depending on the business needs I would like to dissallow access from the VPN VLAN to any VLAN which contains sensitive data such as the DB in question...this may be impossible if you are a virtual company.
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database. I understand MFA and other access controls would protect here, but assume they've failed or otherwise been circumvented. I'm merely curious of encryption's effect here.
As for the use of encryption...one could store encryption keys in a secure vault which gives role-based access on a need to know basis. This would mitigate the risk for the specific DB in question if this admin isn't the admin of this DB.
answered 7 hours ago
DarkMatterDarkMatter
2,4011121
1
"Any remote connection to your network should be protected by 2FA" -- Ah, I should've noted that in the question. I edited it to clarify. I'm aware of other ways to defend against compromised accounts, but I'm mostly curious as to whether the suggestion of encryption was a valid defense. Still, those answers are helpful to those who might come across this.
– Kevin Mirsky
6 hours ago
1
@KevinMirsky I edited to reflect the new threat model as well.
– DarkMatter
6 hours ago
add a comment |
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database.
Any remote connection to your network should be protected by 2FA (Especially any admin connection). This would mitigate your threat here. Furthermore, depending on the business needs I would like to dissallow access from the VPN VLAN to any VLAN which contains sensitive data such as the DB in question...this may be impossible if you are a virtual company.
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database. I understand MFA and other access controls would protect here, but assume they've failed or otherwise been circumvented. I'm merely curious of encryption's effect here.
As for the use of encryption...one could store encryption keys in a secure vault which gives role-based access on a need to know basis. This would mitigate the risk for the specific DB in question if this admin isn't the admin of this DB.
answered 7 hours ago
DarkMatterDarkMatter
2,4011121
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database.
Any remote connection to your network should be protected by 2FA (Especially any admin connection). This would mitigate your threat here. Furthermore, depending on the business needs I would like to dissallow access from the VPN VLAN to any VLAN which contains sensitive data such as the DB in question...this may be impossible if you are a virtual company.
My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database. I understand MFA and other access controls would protect here, but assume they've failed or otherwise been circumvented. I'm merely curious of encryption's effect here.
As for the use of encryption...one could store encryption keys in a secure vault which gives role-based access on a need to know basis. This would mitigate the risk for the specific DB in question if this admin isn't the admin of this DB.
answered 7 hours ago
DarkMatterDarkMatter
2,4011121
edited 6 hours ago
answered 7 hours ago
DarkMatterDarkMatter
2,4011121
answered 7 hours ago
DarkMatterDarkMatter
2,4011121
answered 7 hours ago
DarkMatterDarkMatter
2,4011121
2,4011121
1
"Any remote connection to your network should be protected by 2FA" -- Ah, I should've noted that in the question. I edited it to clarify. I'm aware of other ways to defend against compromised accounts, but I'm mostly curious as to whether the suggestion of encryption was a valid defense. Still, those answers are helpful to those who might come across this.
– Kevin Mirsky
6 hours ago
1
@KevinMirsky I edited to reflect the new threat model as well.
– DarkMatter
6 hours ago
add a comment |
1
"Any remote connection to your network should be protected by 2FA" -- Ah, I should've noted that in the question. I edited it to clarify. I'm aware of other ways to defend against compromised accounts, but I'm mostly curious as to whether the suggestion of encryption was a valid defense. Still, those answers are helpful to those who might come across this.
– Kevin Mirsky
6 hours ago
1
@KevinMirsky I edited to reflect the new threat model as well.
– DarkMatter
6 hours ago
1
1
"Any remote connection to your network should be protected by 2FA" -- Ah, I should've noted that in the question. I edited it to clarify. I'm aware of other ways to defend against compromised accounts, but I'm mostly curious as to whether the suggestion of encryption was a valid defense. Still, those answers are helpful to those who might come across this.
– Kevin Mirsky
6 hours ago
"Any remote connection to your network should be protected by 2FA" -- Ah, I should've noted that in the question. I edited it to clarify. I'm aware of other ways to defend against compromised accounts, but I'm mostly curious as to whether the suggestion of encryption was a valid defense. Still, those answers are helpful to those who might come across this.
– Kevin Mirsky
6 hours ago
1
1
@KevinMirsky I edited to reflect the new threat model as well.
– DarkMatter
6 hours ago
@KevinMirsky I edited to reflect the new threat model as well.
– DarkMatter
6 hours ago
add a comment |
If you're interested in looking at some bleeding edge research on the topic:
Patent 8504876 B2 Aug 6 2013
The thumbnail is that it uses machine learning to define normal use and can block or notify abnormal use, such as attempting to get everything, even by an admin.
Anomaly detection for database systems
answered 1 hour ago
user10216038user10216038
1,722310
add a comment |
If you're interested in looking at some bleeding edge research on the topic:
Patent 8504876 B2 Aug 6 2013
The thumbnail is that it uses machine learning to define normal use and can block or notify abnormal use, such as attempting to get everything, even by an admin.
Anomaly detection for database systems
answered 1 hour ago
user10216038user10216038
1,722310
add a comment |
If you're interested in looking at some bleeding edge research on the topic:
Patent 8504876 B2 Aug 6 2013
The thumbnail is that it uses machine learning to define normal use and can block or notify abnormal use, such as attempting to get everything, even by an admin.
Anomaly detection for database systems
answered 1 hour ago
user10216038user10216038
1,722310
If you're interested in looking at some bleeding edge research on the topic:
Patent 8504876 B2 Aug 6 2013
The thumbnail is that it uses machine learning to define normal use and can block or notify abnormal use, such as attempting to get everything, even by an admin.
Anomaly detection for database systems
answered 1 hour ago
user10216038user10216038
1,722310
answered 1 hour ago
user10216038user10216038
1,722310
answered 1 hour ago
user10216038user10216038
1,722310
answered 1 hour ago
user10216038user10216038
1,722310
1,722310
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209857%2fwould-encrypting-a-database-protect-against-a-compromised-admin-account%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
A subtle point to be made here is that you're using "admin" in the sense of "a single, all powerful role' whereas, in organizations that are large and sensitive enough, it's very common to segregate duties very strictly around sensitive data, such that the damage done by one single set of credentials is narrow.
– dwizum
5 hours ago
Just wanted to add: your threat model is a bit narrow. I mean, if the DB Admin's account gets hacked, it's not like stuff like Application Level Encryption or User Provided Keys will save the day. You're still getting Ransomware'd, or DOS'ed, or Rooted, etc.
– Kevin
3 hours ago
Related, see Homomorphic Encryption and Semi-Homomorphic Encryption. Using HE or SHE you can [theoretically] encrypt the fields in the database tables and still compute on them, like SELECT and ORDER BY. The data would be safe from admins at Amazon, Dropbox, Salesforce, etc. The cloud would only have the encrypted data. The data would likely be breached by an admin within the organization, however. A local admin with access to private key can decrypt the query results.
– jww
1 hour ago