Why You Should be Encrypting Database Backups

by May 14, 2020

Data security is a hot topic in the IT industry for reasons that range from simply safeguarding information resources to maintaining compliance with regulatory standards. Loss or misuse of an organization’s data assets can be financially crippling. The repercussions of a data breach can also result in negative publicity and reduced consumer confidence that can be more damaging than the economic consequences.

Securing data resources demands a multi-faceted approach that impacts many aspects of an IT environment.

Keeping unauthorized entities from accessing your data is one of the primary defensive tactics when protecting corporate information stores.

The Three States of Data

Digital data can be said to be in one of three distinct states at all times. It can be at rest, in use or in transit. The state the information inhabits impacts its ability to be secured and the methods used to protect it.

  • Data at rest is not currently being accessed. This is the state of a large majority of an organization’s data resources at any given time. Data at rest encompasses information stored in databases as well as on disk drives, tape, or other types of storage media.
  • All data not in a state of rest is considered to be in use. It is actively being used by processes or applications. This information may be accessed by individuals with the appropriate level of authorization and protected from unauthorized entities.
  • Data in transit can be seen as a subset of data in use but has unique qualities that influence how it is protected. In-transit data is information that is being transferred between servers or network nodes. It includes email messages sent from a sender to recipients and files downloaded from the Internet.

Regardless of the state of a particular data item, it usually needs to be protected to some degree. In the case of personally identifiable information (PII) and other sensitive types of data, failure to provide adequate protection can result in a nasty data breach that has serious organizational repercussions.

Protecting Data in Its Various States

Data needs to be protected in different ways depending on its current state. The protection is complicated by the fact that a single data item can quickly travel through each state.

For example, when a DBA accesses a database, runs a report on a table containing sensitive data, and emails the report to management, the information has been in all three states. It has moved from the rest state to being in use and finally is in transit as the report is disseminated.

Data resources are vulnerable in each potential state. While in use, measures need to be taken to ensure that only authorized personnel are accessing the data. The information may need to be in human-readable form at this juncture, exposing it to misuse by anyone with access to it.

Data in use can easily be compromised through malevolence or carelessness and often depends directly on the trustworthiness of the individuals using it.

When information is in transit, the most effective method of protecting it is to use encryption. This implies the ability to encrypt and decrypt the data at each end of the communication. It is common practice for corporate networks to enforce encryption through virtual private networks or other means to protect data as it moves.

Data at rest can also take advantage of encryption. The process can be implemented with a focus on different levels of data granularity. Encryption can be done on a disk or device level to protect all of the resident information. It can also be applied to specific files or databases.

One potential drawback to encryption is the overhead costs in computing power that the process requires. Encrypting data can slow down system performance.   

In all cases, the security of the encryption keys is paramount. If they fall into the wrong hands, the data can be decrypted, negating the attempts at keeping it secure.

Backup Encryption Enhances Data Security

One area that is sometimes overlooked when planning an encryption strategy is the safety of backup data. This can be very dangerous as seen in the case of a data breach perpetrated on Bitly in 2014. The information contained in their customer database was compromised by hackers accessing offsite backups. Criminals had stolen login credentials that allowed them access to the backups.

This event highlights the fact that cybercriminals can target your onsite and offsite database backups for an attack. Your data needs to be protected from the time it is created until it is securely deleted. Sending unencrypted backups offsite leaves you exposed to a data breach that could have been easily avoided.

Encryption with Minimal Overhead

IDERA’s SQL Safe Backup can help you protect your SQL Server databases by encrypting them with minimal overhead that may impact your systems’ performance. Employ 128-bit or 256-bit Advanced Encryption Systems (AES) with a performance degradation of less than 0.5%. That is a small price to pay for the knowledge that your backups are as secure as they can be.

The tool’s encryption capabilities are only one of the many features that make it an excellent backup solution for SQL Server environments. Backup speed is enhanced with advanced compression and multi-threading technologies. Recovery can be done with a point-in-time or object-level methodology and near-instant database recoveries will minimize downtime.

Your entire SQL Server backup environment can be seen from a single console so you can keep an eye on everything at once. Alerts can be set to keep the team informed of backup failures, warnings, misses, and successes. It is a valuable addition to your SQL Server environment that helps to keep your valuable data secure.