Cryptography in the Database

Book Review

Cryptography in the Database
by Kevin Kenan
2005 Addison-Wesley

Murach's SQL for SQL Server Find out more about this book,
or purchase it, from

Every now and then you see a question similar to this: “How can I hide my data from my DBA?” And most often an answer goes something like this: “You cannot stop a DBA from reading your data. Why would you want to? If you cannot trust your DBA, you have more than the reading of data to worry about. If you really want to do this, encrypt your data in your front-end and then store the encrypted data in the database. But remember, database encryption alone is weak.”

Data security is still a neglected topic — at least when it comes to the security behind firewalls and intrusion detection systems, internal to a company. A spectacular news stories about someone hacking into a system generates more media attention. News about “internal hackers” rarely reaches the public or the media. The internal attacker has an advantage because he is already inside the outer wall. He already has access to the network and knows about the network topology. The database administrator is here in a very privileged position. Not only does he already have access to all the data in the database, but he is also in a position to cover his tracks. Cryptography can help to minimize this potential security risk but database cryptography alone is not enough. To achieve maximum security one needs to implement a complete cryptographic infrastructure.

This is in short a summary of this book, in which the author designs and implements a cryptographic infrastructure. But does he give enough ideas to implement such an infrastructure in one’s own IT system or to judge for one’s own needs the usefulness of third-party products.

The author leads Symantec’s IT application and database security program, which is in charge of security for all of Symantec’s internal systems. The examples in the book use MySQL as database system and Java as programming language, but they should be easily translatable to other database systems and languages. The complete source code of his cryptographic project is available online and can be downloaded from the publisher’s Web site.

This book is for people who work on projects or in environments where security is the top priority — whether as systems architects, systems analysts, developers, or even risk managers — and worth reading. The only prerequisite is that the reader should already have at least a basic knowledge of cryptography.


Leave a comment

Your email address will not be published.