author photo
By Rick Killpack
Wed | Jun 27, 2018 | 12:02 PM PDT

In today’s world of ever expanding security threat surfaces, most data services—whether on premises, co-located or as a SaaS service in the cloud—have embedded data security in some form of encryption or obfuscation method. For the majority of cases, the data security and encryption services are provided as a free feature with tight integration to the data service. Databases primarily have transparent data encryption (TDE) or similar functionality embedded into the database. Additionally, storage vendors deliver disk encryption capabilities, while cloud providers offer workload and/or disk encryption and even some SaaS providers provide column-level encryption services.

Data security considerations

All encryption services are not alike. As such, risk teams should look closely at the embedded data security services to ensure the features meet their needs. Below are a few critical questions to ask when evaluating your data security strategy.

Is the embedded data security solution comprehensive?

Many companies overlook the fact that sensitive data, including personally identifiable information (PII) data is contained in database activity logs, application logs, configuration files, etc. Most embedded encryption services do not address the supporting database files.  In addition, customers oftentimes backup their data into less expensive storage options. You need to ensure that the backup system leverages sufficient encryption services or your sensitive data could become extremely vulnerable.

Are external attack vectors covered with embedded security services?

Many embedded encryption services focus on internal attack vectors but don’t really address external vectors. For instance, a full disk encryption (FDE) service will protect against someone stealing a physical or virtual drive. However, if the file system is mounted in the protected environment, all operating system (OS) privileged users will be able to access the files.  This means that if the OS privileged user is malicious, forced to hand over data—like subpoenas—or compromised, your confidential data is exposed. Other solutions use TDE to protect against internal users (users who can log into the application and/or database) but do not protect against external OS level users. This partial coverage is not sufficient enough for complete protection.

Do you have full control of the keys used to encrypt the service?

The data encryption key (DEK) or Key Encryption Key (KEK)—which is also known as the master key—is often generated and stored with the data. In many cases, you do not have full control of the key as because it is automatically generated and does not support per user, per service key lifecycle management. It is critical that you maintain full control of your key from a generation, renewal, archive, deletion, usage visibility, backup and storage. If you do not have this control, the encryption service brings little value to your security mandates.

Thales focuses on maximizing your control as you consume native security services

Thales eSecurity believes that there is a lot of value to using embedded security services is significantly valuable. However, as stated above, it is critical crucial that you implement a data security platform that will augment native services to provide a comprehensive data security framework. The data security platform should integrate with all native databases, storage solutions and cloud services. It also should address all data types and file systems at the file and application layers. Finally, a comprehensive enterprise key management service is imperative to maintain and govern all keys used to secure data. For more information about Thales eSecurity data security platform, please visit:

Data security tools require strong data security services

A good data security strategy should include a mature data security process that understands where confidential data is stored, created and managed. It is important that continuous monitoring of secure data assets is implemented with efficient incident management, change control and risk assessment processes. To address this, Thales partners with global system integrators, such as Accenture, to ensure that the right data security tools augment your organizations processes and services. For more information about Thales eSecurity partners, please visit: