About Me

My photo
JHC Technology is a Service Disabled, Veteran-Owned, Small Business based in the Washington, DC Metro area. Our primary focus is to offer customized solutions and IT consulting to our Commercial and Government clients. Our experts have a broad experience delivering and managing Microsoft Enterprise applications and Cloud and Virtualization Solutions, as well as mobilizing Enterprise data.

Wednesday, June 26, 2013

Database Encryption & Application Level Protection

Often times during a SharePoint implementation the topic of data protection comes up, and mostly, we end up leveraging Application Level Protection. In addition to Application level protection there are some database encryption methods that can be applied at the database level to protect the content.

Database Encryption

Below is description about different types of encryption methods that can be applied to protect the database.  With the implementation of SQL Server 2008 or above the best approach to encrypt the data is to use the Full Database level encryption. One of the major benefits of using full database encryption is that applications do not have to rely on built it functions to encrypt /decrypt the data and therefore prevents query slowness. 

 
Advantages
Disadvantages
Windows BitLocker
This service is available at the Windows Server 2008 and up. This type of encryption protects the data at volume level
·   Minimum impact on disk read/write
·   Volume level encryption protects system data
·   Backups and Logs are not encrypted
·   Logs are not encrypted
File Level Encryption
This service is available at the Windows Server platform. This type of encryption protects the database files. It specifically uses NTFS.
·   Easier to implement since it leverages NFTS platform.
·   Leverages Windows  key management store
·   Backups and Logs are not encrypted
·   Logs are not encrypted.
·   Need OS level administrative access on the server
·   Async  I/O can experience slowness
Cell Level Encryption
This is the legacy encryption method from SQL Server 2005. This type of encryption protects at the field level for the database. SharePoint databases cannot benefit from this type of encryption due to schema restrictions.
·   N/A
·   Cannot use with SharePoint
Full Database Level Encryption
This is new service called TDE (Transparent Data Encryption) that is introduced in SQL Server 2008. All the data get encrypted in the database mdf and ldf files. Only time the data is decrypted is when the information is read and display at the application level.
·   Full database backup
·   Backups are encrypted
·   Transaction Logs are encrypted
·   TempDB is encrypted
·   Encryption puts extra load on the system
·   Application independent. The application is not affected by encryption
·   Data in transit is not encrypted.  SSL can leverage to mitigate data in transit

Application Level Protection

Another level of security can be added to the SharePoint application by leverages Kerberos and SSL authentication. Kerberos and SSL help create a secure communication channel between the server and client. Kerberos authentication is a protocol in establishing trust and provides authentication. Both provide secure communication between the server and client.  Kerberos is available under the Windows platform and is mostly installed on a domain controller. Once the SharePoint architecture is associated to the domain, Kerberos authentication can be activated to provide centralized authentication and ticket granting service.  Kerberos authentication adds another layer for protection to the SharePoint environment. Some of the benefits of implementing Kerberos are following:
  • Double hop authentication using delegation.
  • Tickets are renewed after a certain time which reduces roundtrips to domain controller. Improves performance
  • Authentication at the Server Level

In order to implement Application level protection, SharePoint has to configure at a domain level with Active Directory authentication.



Hemant Datta is the COO  for JHC Technology.  He can be reached at hdatta(at)jhctechnology.com, @hdatta, or connect with him on LinkedIn.

No comments:

Post a Comment