Securing Your Critical Business Data with Always Encrypted

Securing Your Critical Business Data with Always Encrypted

There’s an increasing awareness about how critical data protection is to an enterprise. With security being a key concern for businesses, it's important to know how to best safeguard your business. 

Today’s growing cloud adoption trend coupled with a wave of high profile data breaches has propelled security to the top of the list of concerns for businesses. There’s an increasing awareness about how critical data protection is to an enterprise.

Security exposures can be costly, embarrassing and damaging to an organization’s reputation and customer confidence. Take the case of Home Depot and Target, both of which were hit by huge, high-impact security breaches. At Home Depot, 56 million credit and debit cards may have been compromised during a five-month period. Ironically, Home Depot was reported to have begun a project to fully encrypt its payment terminal data this year, but unfortunately the break-in preceded the completion of the security project. Home Depot estimated the costs of the investigation, credit monitoring service, call center staffing and other remediating steps would be approximately $62 million. Target also had a significant security breech in 2013 where they reported that up to 40 million customers’ credit and debit card information had been stolen. Target wound up paying $10 million to settle a class-action lawsuit related to the company's security lapse. Security isn’t one of the sexiest topics in technology, but when it’s comprised, it immediately becomes a priority.

SQL Server Always Encrypted Prevents Unauthorized Data Access
SQL Server 2016’s Always Encrypted feature enables you to secure sensitive data from all unauthorized access – even from database administrators. Always Encrypted is new with SQL Server 2016 and it’s a client-side encryption technology. The data is encrypted when it is written to the database and it’s decrypted by the client when that data is accessed by an approved application. Always Encrypted is quite different from SQL Server’s earlier encryption technology Transparent Data Encryption (TDE). TDE provides at-rest data encryption where the data is encrypted when it’s stored on the disk, but SQL Server decrypts data when authorized users access it.

This means that the in-flight data is not encrypted and highly authorized users have access to the data. SQL Server 2016’s Always Encrypted is implemented through the use of an Always Encrypted aware database driver that’s used by the application. Microsoft has added Always Encrypted support to the .NET Framework 4.6 driver, the Microsoft JDBC 6.0 driver and the Microsoft ODBC 13 driver. The Always Encrypted database driver connects to the database using an encryption key. The data can only be decrypted by using the encryption key. Other applications or data queries can retrieve the encrypted values, but those values will not be unencrypted and therefore will remain secure. The SQL Server database engine only works with the encrypted data. You can see an overview of the Always Encrypted data flow in Figure 1.

Figure 1 – Always Encrypted Data Flow

In Figure 1, you can see that the data encryption takes place in the Enhanced ADO.NET driver while the data store in SQL Server is always encrypted. SQL Server 2016’s Always Encrypted technology prevents unauthorized data security breaches and will ensure that your sensitive data is only accessed by authorized applications.

Underwritten by HPE and Microsoft

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.