Transparent Data Encryption

I can't agree with the comment in the explanation about protection for filestream data when the rest of the data is protected by TDE mandated by regulation. TDE is designed for media protection (someone steals your backup backups or even the hard discs containing the database and he still can't see the data unless he also manages to obtain your keys (or the certificate protecting the database key in the database boot record, if the media stolen includes the disc holding that record)). If regulation requires that sort of protection for particular data, then the regulations won't be satisfied by holding that data unencrypted but protected by operating system or database user access permissions, since those don't protect data on the physical media that the attacker is supposed to have obtained. Regulatory regimes are different for sifferent sorts of data in different places, but the correct reaction to the inapplicability of TDE to filestream data when regulations do require data security to be preserved when physical level media access is compromised is to find and use some other mechanism to encrypt that data (remembering that data used for recovery must be encrypted as well as the actual data, so dealing with logfiles will be a real pain); trying to work around it with some protection that plainly does not satisfy the regulations is not sensible.

Tom

Paul White SSC Guru Points: 150467 More actions · Answer 7

I quite like the fact the answer wasn't 'maybe' (a.k.a "it depends").

Paul White
SQLPerformance.com
SQLkiwi blog
@SQL_Kiwi

Britt Cluff SSCertifiable Points: 5083 More actions · Answer 8

Good question. Thanks for submitting.

http://brittcluff.blogspot.com/

Hardy21 SSCrazy Eights Points: 9708 More actions · Answer 9

Hardy21

SSCrazy Eights

Points: 9708

May 30, 2012 at 3:01 am

#1494505

Easy one..

Thanks