Why Database Encryption Matters: Is the NSA reading this?

Posted by on in Blogs
Before I start. I just want to say, this is your last chance to get your free InterBase licenses. This offer ends 31st December 2013 - See http://www.embarcadero.com/radoffer for details:

Now... the reason this is important!

Are your business applications using old versions of InterBase or FireBird? Is so you may be at risk!


If you are working on business applications that store any data that can be used to identify people you need to read this post! In short... If you don't have your data encrypted at rest then you could be leaving the users of the application open to large fines if the data is compromised at any point.

Some older versions of InterBase including what was taken to create Firebird do not support encryption. Data is stored in clear text in the database file, anyone can open the file in a text editor like notepad to view customer data. To prevent this, the file needs to be encrypted.

Theft is not a defence!


Regulatory action is typically pursued when data is lost and its not encrypted
It also doesn't matter if the data is on mobiles, desktop machines, servers or external disk. Wherever it is at rest it needs to be encrypted. There are notable cases world wide of how customers have had large fines when they have missed this key requirement.


Two such case studies; The NHS in the UK received a £200,000 fine for unencrypted data that was left on hard drives, even though they had written assurances the drives were going to be physically destroyed. In the USA Blue Cross Blue Shield received a $1.5m fine for unencrypted data and had to agree to a 450 day corrective action plan.

The costs don't stop there!


Above the regulatory fines that come from data protection acts around the world, typically customers will notice around a 4% churn in their customer base when they suffer a data breach, not to mention the impact on brand. They also end up with costs associated with help lines, credit check monitoring over a period of time, discounts they have to offer to customers to retain their customer etc.

So how can you reduce the risk? - Encryption!


Now the great news is that by moving up to InterBase XE3 you can get full 256bit AES strength encryption straight out the box that is easily enabled and ensure that your database is encrypted at the file level wherever it goes. And with InterBase ToGo you have a foundation for managing data safely even on iOS and Android. It can be as simple as a short script on the database and 1 line of code to pass the additional parameter for the database connection.

On the http://www.embarcadero.com/radoffer page there is a great bit of text that mentions for those of you upgrading to Enterprise (or higher) edition of RAD Studio, Delphi of C++ Builder right now, you will received InterBase Server edition with 5 user licenses – full production database server. If you are developing Internally, what are you waiting for.

This offer is only running to the end of the month, so get in now!

You can watch more about this topic here on YouTube. 1 hour well spent!



About
Gold User, Rank: 19, Points: 169
Product Marketing Manager & Associate Product Manager, InterBase. @DelphiABall

Comments

  • Guest
    Luigi Sandon Thursday, 19 December 2013

    First, you can encrypt data at the filesystem level even with Firebird. DB encryption is better - if performed correctly. I'm looking at how Interbase stores the encryption key. Then you have to have secure backups. Are Interbase backups properley encrypted? Than you have to protect the communication channel. Can Interbase encrypt it properly? Can it use SSL over TCP? Not everyone knows how to setup IPSec, and that's not an end-to-end solution anyway. Also, can Interbase use OS authentication? That's another way to properly verify user and encrypt the channel.
    Unless you use Delphi Datasnap and its lame encryption to read and write data... LOL!

  • Guest
    Stephen Ball Monday, 30 December 2013

    First, you can encrypt data at the filesystem level even with Firebird. DB encryption is better - if performed correctly.

    ** Yes File Encryption is much safer than Disk Encryption as it protects the file even when copied off the disk.

    I'm looking at how Interbase stores the encryption key. Then you have to have secure backups. Are Interbase backups properley encrypted?

    ** Yes, there is a separate backup encryption key.

    Than you have to protect the communication channel. Can Interbase encrypt it properly? Can it use SSL over TCP?

    ** Yes, it has full SSL support

    Not everyone knows how to setup IPSec, and that's not an end-to-end solution anyway.

    ** Have a look at the documents online http://docs.embarcadero.com/products/interbase

    Also, can Interbase use OS authentication? That's another way to properly verify user and encrypt the channel.

    ** We don’t currently have OS authentication as to preserve the encrypted database independent security we have embedded users in the database. We are considering this for the future though.

  • Please login first in order for you to submit comments
  • Page :
  • 1

Check out more tips and tricks in this development video: