If all customer data is encrypted or tokenized, an IT team cannot see the actual information to conduct merge/match activities in the database. But there are options that can resolve database security issues while enabling search capabilities.
Data at rest is a common security issue. Approaches include encrypting the hard drive that certain data resides on, segment ing the machine from the rest of the network, or encrypting individual files within a given machine. When the objective is to secure a database while enabling records analysis, consider placing the database on a separate physical machine.
Certain fields within said database are used for searching, but are also tokenized or encrypted. If a customer named Susan also goes by Sue, her corresponding records within the database will appear to belong to different people. The encryption mechanism assigns two different values to Sue and Susan, and the text will never match. One or more users have access to the database in this situation.
To resolve the security issue, it may be easier to unencrypt the database and transfer it to a separate physical device. This allows matching and merging information directly -- no more phantom Sue -- without dealing with encrypted data. Instead, encrypt the machine where the database resides. The data is protected by virtue of the machine it lives on.
Choose a method to authenticate to the encrypted device: with a username and password, a security token, or by the physical machine authenticating to another physical machine. There are numerous viable approaches, as long as the result is that matching and merging are no longer issues on the database.
None of these scenarios is inherently difficult. Complications come from the details of the infrastructure deployment. If the organization wants to segment a certain portion of data from the rest of the network, the only limiting factor is available resources. But segmenting the data, in and of itself, is not difficult.
About the author:
Brad Casey is an expert on network security with experience in penetration testing, public key infrastructure, VoIP and network packet analysis. He also covers system administration, Active Directory and Windows Server 2008, with interest in Linux virtualization and Wireshark captures. He spent five years in security assessment testing for the U.S. Air Force. Contact him at email@example.com.
Dig Deeper on IT compliance and governance strategies
Related Q&A from Brad Casey
Allowing users to tunnel through a firewall to access any site creates a security risk. How big of a risk is it? It depends on how much you trust ... Continue Reading
Don't treat physical and virtual machines' security differently. Since VM security issues threaten the whole infrastructure, here's how to stop ... Continue Reading
I have only seen companies deploy a NetBackup master server on a physical server. Are there any drawbacks to using a VM as a NetBackup master server? Continue Reading