Showing results for 
Search instead for 
Did you mean: 

Transparent Data Encryption for Database Workloads

Level 1

Databases and CRM systems are the key workloads that power businesses – and they are a popular attack target in this age of ransomware. The levels of protection for databases vary widely – from agent-based backups to dump-and-sweep methods. Enterprises have been implementing Transparent Data Encryption (TDE) for their critical DB workloads, especially SQL and Oracle, to protect this primary data copy. And IT managers are understandably concerned that turning on TDE might increase storage requirements and add complexity to data protection workflows.

We recently talked with a longtime customer who utilized dump-and-sweep methods to protect their Oracle database. They were concerned about the exposed attack surface before the backup application swept the database dump. Because ransomware could encrypt the backup files and hold them hostage before the sweep operation, the customer was exposed to unnecessary risk of an attack.  Additionally, the storage cost from sweeping encrypted databases had them concerned that the protection utilizing TDE was prohibitively expensive.  The backups of encrypted databases in their tests achieved 0% deduplication.

The solution for this customer was to move from dump-and-sweep to utilizing MSDP storage for their Oracle and MS-SQL backups. When enabled, the NetBackup stream handler for MS-SQL and Oracle is optimized to perform deduplication with TDE enabled databases.  These databases will not see any storage savings from compression (encrypted data does not compress), but they can achieve a level of deduplication rate similar to non-TDE backups.  

Check out the NetBackup Deduplication Guide for the Oracle and MSDP Stream Handler.

1 Comment
Level 3

This is quite interesting Matt, TDE Databases are becoming very common and this is a very good talk point from the competition perspective, do we have this reflecting on the NBU Appliance Sizing tool anywhere?