What it is?
This is about making sure the data is protected as much as possible. Note that this is about protecting data. Most of the case there is nothing called 100% secure data. We should always try our best but can not assume we are fully protected.
Why do we need data security?
It is important to understand that data is the heart of the system. It is quite rare hackers wants to steal software code especially in this open source era. They want to steal the data or tamper them.
In this topic, we protect against,
- Data Leak
- Data loss
- Data inconsistency
Introduction to Software Security
Software Security is very big topic and you will be easily get lost in it. There are lots of information about…
How do we implement data security?
Basically we have two methods?
- Make the data access as hard as possible
- If data is stolen, then make it as hard as possible to read it.
Make the data access as hard as possible
- Implement full-blown authorization
- Employ the least-privilege principal with well defined roles and privilegess
What Is Authorization? Explained From Zero
What exactly is authorization? It is an answer to the question “what you can do?” What this actually means is assigning…
If stolen, we should make it hard to read. In other words we should implement some kind of encryption mechanism on the sensitive data.
We have two options for that,
Use built-in DB encryption capabilities
Almost all major databases support this capability. This should be the preferred way to go using the databases built-in encryption capabilities. In this case we get robust solution supported by the database vendor. It is also more secure and required no code changes in the application (or may be small change).
In cloud era, most of the out of the box database services are encrypted at rest.
Self develop a mechanism
This is done using platform encrypted libraries. All major platforms has such libraries. This is less preferred approach. This is used only if the DB built in encryption can not be used. This approach requires some tedious coding and lots of effort. Also this approach is not flexible.
As you know encryption uses keys. It is the basis and it is crucial for the encryption process. There are different kinds of keys involves with the encryption process. These keys must be kept in secure store such and secure vaults. Because exposing keys, will make the encryption useless.
Key stores or vaults can be used to securely store keys, certificates and more. Never ever store the keys in our code of config file. There are more popular key stores/vaults out there for us to evaluate and use.
Things to consider
- We should first map the data that should be encrypted. We do not need to encrypt all the data in the database as it has its own performance concerns.
- Decide on encryption strategy. Always try to use DB built in mechanism.
- Make sure there is secure key store in the organization. In any case do not initiate any encryption related work without a key store in place.