TDE IN AN ALWAYSON AVAILABILITY GROUP

ADDING A TDE ENCRYPTED DB TO A SQL SERVER ALWAYSON AVAILABILITY GROUP


I’ve recommended against the use of Transparent Data Encryption (TDE) database container encryption (SQL Server & Oracle) in the past. Reference my blog or blog. TDE flat out provides no protection while the database is running, and we all strive for 24×365 uptime.  Given the option, any bad guy is going to steal your data through the front door rather than shut down your database and raise the ‘something is wrong’ alert. Of course, follow normal procedures for encrypting database backups that will be moved off-site, and destroying or wiping abandoned storage.

Adding a database to an existing availability group is another one of the hassles that TDE causes for the very little (or no) benefit it provides. Specifically with SQL Server 2014 and prior, one can not use the standard SQL Server Management Studio (SSMS) wizard to add a TDE encrypted database to an AlwaysOn Availability Group (AAG).

In my situation, I was lucky. We choose to encrypt the second database with the same key. The first database was in the AAG, and the AAG was functioning perfectly. The problem is the wizard had the second database greyed out… as if it was not a candidate for AAGs.

So, here’s what I did to add the TDE encrypted database. (Remember to test your interpretation of these instructions on a non-production AAG.)

  1. Insure that your first database is TDE encrypted, the AlwaysOn Availability Group is functioning (synchronizing) properly. This means that TDE keys have been placed on all nodes (ie replica/instances) of the AAG. 
  2. Insure that the current ‘primary’ node has been set to the same node as the node with the second database. (There is a ‘no data loss’ method of manually failing an AAG.)
  3. Insure the second database is TDE encrypted with the same key as the first database. As the first database is functioning in the AAG, the keys that exist on all the AAG nodes are the same keys that are needed for the second database.
  4. On primary node of the AAG…
    1. Insure the second database is using FULL recovery.
    2. Use the backup wizard to take a full backup of the second database
    3. Use the backup wizard to take a tlog backup of the second database
    4. Add the second database to the AAG with the following TSQL command… ALTER AVAILABILITY GROUP aag_name ADD DATABASE database_name;
  5. On each of the secondary nodes of the AAG…
    1. Use the restore wizard to restore the full backup taken of the second database. INSURE ‘NORECOVERY’ is specified.
    2. Use the restore tlog wizard to restore the tlog backup taken of the second database. INSURE ‘NORECOVERY’ is specified.
    3. Add/Join the second database to the AAG with the following TSQL command… ALTER DATABASE database_name SET HADR AVAILABILITY GROUP = aag_name; 
  6. Insure that the secondary nodes are synchronizing (after ‘refreshing’ in SSMS). Test a manual failover.

It’s far simpler to not have to deal with TDE in a AAG… It’s especially frustrating given that TDE offers no real security. (yea, the ‘dead horse’ thing!).

Keywords: Always On Availability Group, AlwaysOn Availability Group

Troy Frericks.
blog 01-Jun-2016
=
Copyright 2015-2016 by Troy Frericks, http://dba.frericks.us/.
#

CREDIT CARD TOKENIZATION, ENCRYPTION

INTRODUCTION
Both tokenization and end-to-end encryption can be combined to create a awesome credit card tokenization system. Sometimes enterprises wish to do less. Below, the risks the “encryption method” are described in the table. The table lists “attacks” in the first column (“Exploit”). Other columns are “encryption methods”, and are described below, for example “E2E” is “End to End Encryption”.

The table body contains information about the effectiveness of the “encryption method” in defending against the corresponding “attack”. The values used in the table are defined at the end of the table.

TABLE 1

Exploit vs Encryption, the specified encryption is sufficient to mitigate the exploit
Exploit Description E2E NE2E App DB Col DB Cont Disk
Spear Phishing Targeted emails that appear to be from another source, intent on obtaining PII. YES YES ? NO NO NO
Rogue Employee Developer, DBA, Customer Service, Director, etc that has special access, intent on obtaining PII. YES YES NO NO NO NO
Social Engineering Phone call, in person, other based on manuplation and deception, intent on obtaining PII. See Spear Phishing. YES YES ? NO NO NO
Unauth Priv Escalation Using a bug to obtain elevated OS or database access with the intent of obtaining PII. YES YES NO NO NO NO
SQL INJECTION Using insecure code to change the SQL code to function in a manner not intended by the application, with the intent of obtaining PII. YES YES ? ? NO NO
Cross Site Request Forgery, Cross Site Scripting A type of attack that occurs when a malicious website causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated, with the intent of obtaining PII. ? ? ? ? NO NO
Access To Database Backups An attacker is able to obtain database backups with the intent of obtaining PII. YES YES YES YES YES NO
Weak Authentication  An application service account or a system administrator’s access is breached due to having a weak password, with the intent of obtaining PII. YES YES ? ? NO NO
Exploitation of vulnerable/misconfigured databases A database bug is exploited, or a database configuration is incorrect and is exploited, with the intent of obtaining PII. YES YES YES NO NO NO
Communication protocol vulnerabilities Communication vulnerability is exploited with the intent of obtaining PII. (for example, a portion of the server memory can be returned, note heartbleed) YES ? NO NO NO NO
Other / Malware Many possibilities with the intent of obtaining PII, ie a bot, keystroke logger, etc. YES ? NO NO NO NO
Exploit Description E2E NE2E App DB Col DB Cont Disk

YES – The encryption method is designed to protect from the attack.
NO – The encryption method is NOT designed to protect from the attack.
? – The encryption method is NOT designed to protect from the attack, but actually may be effective. Its effectiveness is dependent on specific vulnerability and how the vulnerability is applied.
PII – Personally identifiable Information (ie, credit card numbers, cardholder names, addresses, etc)

CREDIT CARD PRIMER
A 16 digit credit card number (PAN / Primary Account Number) contains public data (known plaintext) and private data. The first set of six digits is considered public/known and contains the credit card type and the bank identifier. The last set of four digits (including the check digit) are commonly used as a reference to the card by the card owner, and thus, is also considered public/known. The middle set of six digits (digits 7-12) is considered private. All that to emphasize a basic rule of cryptology: one should not encrypt public/known data along with private data. Encrypt only the middle set of six digits.
Credit Card Number Reference

TABLE DETAILS (see above)

1. E2E (End-to-End Encryption)
The private portion of the credit card is encrypted using a public key in the web browser and the cyphertext sent along with the plaintext first six & the plaintext last four via a HTTP POST to the web server. The application receives cyphertext to add to the database. The private portion of the credit card is only decrypted using a private key by the credit card processor.

2. NE2E (Nearly End-to-End Encryption, ie, Encryption in the web browser via asymmetric keys, and decryption upon hardened egress)
The private portion of the credit card is encrypted using a public key in the web browser and the cyphertext sent along with the plaintext first six & the plaintext last four via a HTTP POST to the web server. The application receives cyphertext to add to the database. The private portion of the credit card is only decrypted, using a private key, on a hardened egress server prior to sending the plaintext credit card number to the credit card processor.

3. App (Encryption by Application)
The private portion of the credit card is encrypted once received by the application. The cyphertext is then sent to the database server. The private portion of the credit card is decrypted by the application which in turn sends the plaintext credit card number to the credit card processor.

4. DB Col (Database Columnar Encryption)
The private portion of the credit card is encrypted once received by the database (the application provides the data and a symmetric key). The private portion of the credit card is decrypted by the database when queried by the application (the application provides the key). The application then sends the plaintext credit card number to the credit card processor.

5. DB Cont (DB Container Encryption, ie, Transparent Database Encryption or DB Data At Rest Encryption
In a TDE system, plaintext versions of the private portion of the credit card are INSERTed or UPDATed. No key from the application is necessary. The application (or anyone with the proper access) can SELECT the plaintext version of the private portion of the credit card number without needing to provide a key. TDE encrypts database containers such that all backups are encrypted even if explicit backup encryption is not used. Also, if the containers are ever unmounted form the database, they would be unreadable. Tempdb containers are encrypted, but information in buffers is not encrypted. Note, database containers, being opened exclusively by the database engine, are never (or very, very rarely) attacked. Therefore, if proper backup encryption is used, TDE provides no (or very, very little) protection. See my 13-Nov-2015 BLOG post describing the hassles of TDE, and why I recommend it never be used. Use standard backup encryption and disk encryption instead.

Please comment below if you know of a published attack that was a result of reverse engineering database containers. Please provide a source as I’m very interested.

TDE Reference

6. Disk (Disk Encryption, ie, BitLocker)
Disk encryption encrypts the entire hard drive. This is protection mainly for notebook/portable computers that, once powered town, can not be booted (or the disk contents read), until a key (usually made available using the user’s password after a successful login). On a server, which is very rarely powered down, this would protect against the hard disk being discarded without being wiped.

DATABASE BACKUPS
Database backups should be encrypted by the standard backup utility. Do not rely on other encryption to protect backups.


KEY MANAGEMENT
Proper key management of the (private) key/s is required for any of the above encryption architectures to be effective. This usually means two or more people know a single key (in the case of multiple encryption architecture) or a single portion of the key (in the case of a single encryption architecture). Key Management is usually defined in the pertinent standard (ie, PCI), but Policy, Standards, & Procedures must be in place from the Corporate Information Security Steering Committee .

DATA IN TRANSIT
Data in transit should always be protected by a current TLS (formally SSL) architecture. This includes transmission internally, and between data centers (even over leased lines). Google recently discovered preying eyes on fibre optic communications between data centers and has since implemented full TLS encryption. Even though the Google breach involved government actors, a lone telecommunications technician would be capable of doing same.


HOW TO AVOID PCI & AVOID ENCRYPTION
First consider what it will do to your company’s reputation. Would you be be seen as a lessor competitor when you’re not willing to take on the security of credit cards? What about other data? If another company experiences a breach with your data, do you escape the reputation hit… after all, it is your data? Why would anyone come to you when you’re not willing to undertake the additional security required to handle credit cards, especially when they can go to your competitor that is marketing their world class data security.

If the reputation is not an issue, consider outsourcing the credit card tokenization functionality completely. Credit Card Tokenization Services are a dime a dozen. Companies like CyberSource will do that for you. Your company then would simply process tokens rather than credit cards. No encryption, no creation/maintenance of complex software, etc. No risk? Not. Just be sure you understand the risk when your data is involved.

When must you outsource? If your company does not have a Corporate Information Security Steering Committee (CISSC) with a clear executive level charter, outsource the credit card tokenization. Without such a committee empowered by an executive charter, it will be difficult to make the necessary decisions related to security.

SUMMARY
Careful analysis of the enterprise is required. Is reputation an issue? Is security an issue? If appropriate, outsource the credit card tokenization to a third party. If outsourcing is not an option, consider the best possible encryption architecture for which the organization is capable. End-to-End Encryption is considered the best architecture (see above table). Don’t forget key management, backup encryption. Follow the Policies, Standards, and Procedures provided by your CISSC!

Troy Frericks.
blog 20-Mar-2016
=
Copyright 2015-2016 by Troy Frericks, http://dba.frericks.us/.
#