Comparison of different database encryption methods - PolarDB

This topic compares various encryption methods that are used in database systems and can help you select an encryption method based on your business requirements.

Overview

Access control systems are used to limit access to specific areas. For example, in a residential community, a multi-tiered access control system restricts entry at the community entrance, building entrances, and individual apartment entrances to ensure only authorized individuals can access specific areas. An access control system can achieve different access control results based on locations and areas. Encryption methods serve the same as an access control system for a residential community. You can use encryption methods to encrypt sensitive data and achieve different effects based on the position and granularity of the data.

Introduction to database encryption methods

Disk encryption
When you create a system disk or data disks together with an ECS instance or when you separately create a data disk, enable encryption for the cloud disk. After the cloud disk is created, the data within the operating system of the ECS instance that serves as the host of the cloud disk is automatically encrypted when the data is written to the cloud disk and is automatically decrypted when the data is read from the cloud disk. Disk encryption ensures the security of data that is stored on disks at the Infrastructure as a Service (IaaS) layer. For more information, see Overview.
Transparent data encryption (TDE)
Before data is written from the database memory to a file system, the database engine encrypts data in memory and then writes encrypted data to the file system. TDE ensures the security of data that is stored in file systems at the PaaS layer. For more information, see Configure TDE.
Column encryption (basic edition of the always-confidential database feature)
Before query results are sent from a databases to a client, the results are encrypted. The client uses the required key to decrypt the query results. This ensures that data transferred between database clients and databases is in ciphertext. Column encryption ensures data security when data is transferred between clients and databases. For more information, see Overview.

Potential database attacks

A database is a system application, and data within the database is vulnerable to security risks. The following figure shows the security risks and attack paths. For more information, see Oracle's Maximum Security Architecture for Database Security.

The following table describes different types of attacks.

Type	Description	Method

Type	Description	Method
Attack Admins	Attacks system administrators, such as OS administrators. System administrators have the highest permissions on a database system. If an attacker obtains an administrator account, the attacker can manage and access all storage resources, systems, and peripherals. In a database system, system administrators are divided into the following types: Database administrators (DBAs) can access database data and modify configurations. PaaS administrators, such as OS administrators, can access data in OSs and file systems. IaaS administrators, such as platform administrators, can access data on peripherals such as disks.	OS vulnerabilities Administrator account or password leaks Improper system configurations
Attack Users	Attacks users, such as database users. End users can access database systems and specific data. An attacker can obtain a user account and use the account to access user data to launch attacks such as logical data breach attacks. This allows the attacker to exploit vulnerabilities, such as by using SQL injection, to escalate privileges and obtain administrator permissions.	User account or password leaks Logical data breaches
Attack Apps	Attacks application services, such as website servers. Application services are accessible over the Internet, have a larger attack surface, and are more vulnerable to intrusion compared to databases that are strictly protected.	Application service vulnerabilities OS vulnerabilities
Attack Network	Attacks network connections, such as listening to and intercepting network data. In most cases, network attacks use bypass methods and are difficult to detect.	Network listening and interception
Bypass Database	Bypasses database systems to obtain data and steals database data in bypass mode. For example, PaaS personnel can initiate a physical data breach by copying data files and backup files from database disks.	Physical data breaches
Bypass OS	Bypasses the file system in an OS to obtain data and steals disk data in bypass mode. For example, IaaS personnel can directly copy data from local disks or cloud disks.	Mounting attacks
Exploit Database	Exploits defects within a database system, such as code bugs, to access the database directly or indirectly.	Database OS vulnerabilities
Target Data Copies	Attacks development and test databases. In most cases, production data is directly synchronized to a development and test database. However, no effective methods are used to ensure the security of the development and test database. As a result, the development and test database is more vulnerable than the production database.	All of the above

To address these potential database security risks in different application paths in a system, a comprehensive security solution is required to respond to the potential database security risks in different system applications. Different security technologies and management methods, such as SSL and certificate services, authentication and access control, whitelists and security groups, data encryption and masking, and security auditing, are required to develop a solution.

Capability matrix of encryption methods

The encryption methods that are used in databases include disk encryption, TDE, and column encryption. The following table describes the encryption methods. You can select an appropriate encryption method based on business pain points, encryption granularity, transformation costs, and performance.

Database encryption method	Disk encryption	TDE	Column encryption ((Basic edition of the always-confidential database feature)

Database encryption method	Disk encryption	TDE	Column encryption ((Basic edition of the always-confidential database feature)
Issues that can be resolved	Bypass OS and Attack Admins (IaaS)	Bypass Database, Bypass OS, and Attack Admins (PaaS and IaaS)	Attack Users, Attack Apps, Attack Admins (DBA¹) Attack Network, and Target Data Copies
Data visibility to database O&M personnel, such as DBA	Visible	Visible	Invisible
Data visibility to PaaS O&M personnel, such as OS administrators	Visible	Invisible	Visible¹
Data visibility to IaaS O&M personnel, such as physical process engineers	Invisible	Invisible	Visible¹
Encryption granularity	Cluster	Table and database	Column
Business transformation	N/A	N/A	You must replace the Java Database Connectivity (JDBC) driver with EncJDBC, and you do not need to modify code.
Performance	Slight performance loss, or even no loss	Influencing factors: the sizes of sensitive databases and tables, database configurations, and application loads. Note For example, if the table size is smaller than the cache size, the performance loss is extremely low. If the table size is much larger than the cache size, the performance loss is high. Conclusion: In most cases, the performance loss is less than 5%. If application loads are extremely heavy, the performance loss may reach 20%.	Influencing factors: the sizes of sensitive data in query results, independent of the sizes of databases and tables. Note For example, when a query retrieves one piece of data, the performance loss is minimal. However, retrieving one million pieces of data can result in significant performance loss. Conclusion: In most cases, the performance loss is less than 7%. If application loads are extremely heavy, the performance loss may reach 21%.

DBA¹ and visible¹: The basic edition of the always-confidential database feature cannot prevent O&M personnel at the PaaS and IaaS layers from accessing plaintext data. You can use the hardware-enhanced edition of the always-confidential database feature together with the trusted hardware technology to defend against attacks from the PaaS and IaaS layers. The hardware-enhanced edition provides enhanced security compared to the basic edition of the always-confidential database feature.

Comparison of the principles of encryption methods

Architecture

The following figure shows the roles of encryption methods in a database system based on the system architecture:

Disk encryption is applied to the OS layer of an ECS instance and the host on which the ECS instance resides to encrypt and decrypt OS files. Disk encryption takes effect on all clusters on the ECS instance or the host on which the cloud disks are deployed.
TDE is applied to clusters to encrypt and decrypt cached database files. TDE takes effect on individual clusters.
Column encryption is applied to clusters to encrypt and decrypt query results in the database memory and return data in ciphertext to the applications that are connected to the clusters. Column encryption takes effect on individual clusters.

Note

Column encryption, TDE, and disk encryption can be used in combination.

Data

The following figure shows the encryption states of data in a database system by encryption method.

In disk encryption, data is in ciphertext in disks, but in plaintext in OS files and databases.
In TDE, data is in ciphertext in disks and OS files, but in plaintext in databases.
In column encryption, data is in ciphertext in databases (except in the engine), but in plaintext in OS files and disks. Data is running in ciphertext and stored in plaintext.

Note

The combination of column encryption and TDE provides end-to-end encryption for data in transit.

Differences between different database encryption methods

Storage security technology	Disk encryption	TDE	Column encryption

Storage security technology	Disk encryption	TDE	Column encryption
Effective scope	OS	Database engine	Database engine
Encryption scope	Host or ECS Instance	Cluster	Cluster
Encryption granularity	Cluster	Database and table	Column
Application awareness	Transparent to applications	Transparent to applications	Replacement of JDBC with EncJDBC for applications

Summary

Database encryption technologies have been mature, but databases still face various security threats from the user perspective. To address these threats, different database encryption technologies are available, such as disk encryption, TDE, and column encryption. You can select an appropriate database encryption method based on security requirements, business transformation costs, and performance.

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Lingma

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)