Skip to content

Administrator

Developer

Tools

External Tools

13. Securing Data#

The chapter covers how to use security modules to develop a database encryption strategy.

Overview#

As the protection of information becomes an increasingly important issue, and with the increased awareness of the highly sensitive nature of personal and business information, information protection legislation is being enacted, which is creating the need for more sophisticated database security management functionality.

With the goal of protecting your database from both internal and external threats, Altibase provides security module integration function to effectively protect the database by interlocking a security module suitable for user needs.

This chapter will focus on how to implement security modules in an integrated manner with the aim of protecting your data.

The Altibase security module integration functionality provides powerful encryption management that integrates Altibase server and independent security modules without modifying client applications to provide a complete system for protecting personal information. Altibase supports the integration of trusted third-party security modules with the Altibase server to improve on vulnerabilities in database security, and provides an interface that can be used to integrate security modules effectively.

Altibase provides an architectural framework that allows security modules to be used to encrypt data, intensively control database access and performing at the database level. All operations pertaining to security are performed by the security module that is integrated with Altibase server, rather than by the Altibase server itself.

Encryption applies to columns in tables. The data in encrypted columns are secured regardless of whether the data reside on disk or in a memory buffer.

Access control tasks are roughly categorized into two areas: determining what is to be protected and determining which users have the right to access protected objects.

Like encryption, access control also applies to columns in tables. Every user wishing to access a protected column must first have been granted access rights for the corresponding object.

Which items are protected, which users have the right to access protected data, and all encryption tasks are logged for auditing purposes

The security-related features provided with Altibase are as follows:

  • Encrypted data can be stored and managed either on disk or in memory
  • Data to be output is decrypted according to security privileges
  • Indexes are built in such a way that the chronological order of the original data is maintained
  • Tables that contain encrypted columns can be replicated

How Security is Organized in Altibase#

Altibase and a security module are independent of each other. Encryption keys, security policy, and information about security privileges are managed in a security module that is not part of the database itself.

Altibase can operate normally even when it is not integrated with a security module. However, queries executed on encrypted columns will fail if no security modules are present.

Altibase is integrated with a security module both by setting security module-related properties appropriately and by executing SQL statements. Altibase evaluates the validity of the connection between the security module and Altibase server and guarantees that the connection is valid.

When Altibase evaluates the connection with the security module, it compares security-related information, such as the module name, version, and information about encrypted columns, in the database with the corresponding information in the security module.

Columns can be encrypted without requiring that any changes be made to existing applications that connect to Altibase. Encrypted columns can be created and deleted using SQL. Other tasks can be accomplished without changing any of the queries that are used in the existing application.

In Altibase, the security-related functions of the main module are as follows:

  • Supporting data structures and meta information for managing encrypted data
  • Supporting extended SQL for security
  • Supporting replication

The roles played by an external security module are as follows:

  • Managing encryption algorithm settings, including the kind of algorithm that is used and the initialization vector, if applicable
  • Managing settings for encrypted columns, including the encryption algorithm and encryption/decryption permissions
  • Encrypting and decrypting data
  • Managing access control settings, including access to specific IPs and access by specific users
  • Auditing, including encryption/decryption logging and access control logging