The Missing Security Layer for Enterprise-Grade Postgres
Today, data is regarded as the most important asset an organization has. As businesses and government agencies realize the importance of data ownership and portability, there’s been a massive increase in enterprise adoption of open source databases such as Postgres. However, maintaining data security and integrity in your database can be a complex task.
Securing data at rest is largely a solved problem, with various options that provide coverage at the disk or within databases at the transaction level. These options provide flexibility but are meant to address different types of threats an organization may face. As data security concerns rise amongst organizations that have accelerated their cloud journey, data encryption needs to be a best practice. It can help safeguard confidential data and other cloud data assets from accidental exposure and unauthorized access, and it allows organizations to create a security architecture that mitigates numerous threats that could otherwise contribute to a security breach.
Database security is just one of many security layers an organization needs to consider. But it’s the deepest one, without which organizations are likely to find themselves at greater risk in a challenging cyberspace.
Transparent Data Encryption for Postgres
Over the past five years, Postgres has become a critical component in the most sensitive environments like payment processors, banking, and health care. To ensure their customers’ information doesn’t end up for sale on internet forums, transparent data encryption (TDE) is essential for enterprises using Postgres.
Using TDE, organizations can enable Advanced Encryption Standard (AES) encryption for their Postgres database system. AES has become a de facto standard encryption algorithm for protecting sensitive data.
Transparent data encryption means all user data is automatically encrypted when written to disk. And since the database files are encrypted, so are the database backups. The data on disk is unintelligible, whether it’s on the live database system or in an organization’s backup storage.
Most people comfortably send sensitive data across the internet, trusting internet communication standards used by the largest online retailers, banks and search engines. TDE helps ensure confidentiality by encrypting data stored in databases, protecting sensitive data even if the database is accessed by unauthorized individuals.
It also helps organizations comply with privacy and security regulations, such as GDPR, PCI DSS and HIPAA, which require the protection of sensitive data. Additionally, investing in transparent data encryption can improve an organization’s reputation by demonstrating a commitment to security and privacy, which increases customer trust.
Safeguarding Data Stored on Disk
At some point in their career, most software developers will be tasked with ensuring an application stores sensitive data, like credit card data, to reduce friction for future purchases or storing personally identifiable information (PII) like medical data. Whether you’re familiar with cryptography or not, standard libraries and guides exist to safeguard communication between the client and server. However, application developers will find it far more complex when looking for a solution to safeguard data stored on disk.
Transparent data encryption from EDB helps application developers and database administrators protect any user data stored in Postgres by encrypting it using AES. Since AES is widely used, most modern processors, such as those from Intel, have hardware offloading to accelerate the execution of AES encryption and decryption.
EDB performed TPROC-C (HammerDB) benchmarks with databases populated by 2,000 warehouses (~200GB of data) using EDB Postgres Advanced Server 15. The benchmark was executed against both a TDE-enabled database and a non-TDE database. On a test that ran for one hour with a 5-minute ramp-up time, the maximum drop in terms of transaction rate was only 7.3% lower with a high number of virtual users. The impact was even less significant when the CPU was not overloaded, and the number of virtual users relative to CPU was lower.
Along with using standard encryption algorithms, EDB implemented a flexible key management design. If you’re deploying a database in the public cloud, you can integrate with the public cloud’s key management system (KMS), such as Microsoft Azure Key Vault, to secure the data files on disk. EDB has also developed a Key Management Interoperability Protocol (KMIP) client for enterprises to integrate with their existing KMIP servers, like Thales CipherTrust Manager.
With EDB’s Transparent Data Encryption solution for Postgres, no application changes or updated client drivers are needed. All user data is protected automatically, with no shadow copies of tables being copied from an encrypted tablespace to an unencrypted tablespace. And when your database backups go to another location with a new set of administrators and network rules, user data is still protected with AES encryption.
Not Having to Think Twice about Encryption
The attraction of TDE is clear. Developers, users, admins and applications can proceed without thinking twice about encryption. However, an encryption key is required to access the data, so proper management of those keys is essential.
As data security concerns rise among large businesses that have accelerated their cloud journey, especially those in financial services, data encryption needs to be a best practice. Now organizations can trust storing sensitive data in Postgres using de facto encryption standards and a well-established method in TDE to protect database information.
Learn more about Postgres’ powerful encryption capabilities in our 2023 white paper, “Security Best Practices for PostgreSQL.”
