TDE Vs Column Level Encryption
So is column-level encryption or transparent data encryption the right solution for your systems? Both column-level encryption and transparent data encryption provide a means of obfuscating sensitive data to protect it from unauthorized access. However, they do so in different ways.
TDE prevents the unauthorized access of the contents of the DB files and backups, but does not protect sensitive data within the DB from being viewed by authorized users or DB administrators. Column-level encryption offers more granular control throughout the data being encrypted but is not transparent to your apps.
For some organizations, you might want to consider implementing both column-level encryption along with TDE for a DB. Although this combination is more difficult to set up and administer, it offers greater security and encryption granularity than does either method used alone. TDE protects the DB files and backups from unauthorized access, whereas column-level encryption protects sensitive data within the DB from being accessed by authorized users, including DBAs. Implementing TDE in conjunction with cell-level encryption offers a layered approach to data security, which enhances its effectiveness.
The main disadvantage to implementing column-level encryption is that it isn't transparent to the end-user apps. In addition to requiring changes to the DB schema, it also requires changes in the apps to comprise the proper function calls to encrypt and decrypt the data as it is stored and retrieved. Another issue with column-level encryption is that you can’t index encrypted columns, nor can you generate statistics on the encrypted columns. This can affect query performance because search arguments that reference encrypted columns can’t be optimized. For this reason, typically only the most sensitive columns of a table that do not need to be indexed are encrypted.
| Features/Limitations | Column-Level Encryption | Transparent Data Encryption |
|---|---|---|
| Data is encrypted on disk and backups | Yes | Yes |
| Supprts HSMs | Yes | Yes |
| Data level of encryption | Granular, at the column level | Encrypts the entire database only |
| User Level of encryption | Encrypted data can be restricted at the user level on a need-to-know basis | Any user with sufficient database permissions can view encrypted data |
| Impact on applications | Database applications need to be modified | Completely transparent to applications and end users |
| Indexing of encrypted data | Encrypted columns cannot be indexed | No restrictions on indexes |
| Performance impact | May be significant depending on the type of encryption key used | Small impact on performance (3-5%) |