A database is a collection of stored data that is logically related and that is accessible by one or more users or applications. A popular type of database is the relational database management system (RDBMS), which includes relational tables, also referred to as relations, made up of rows and columns (also referred to as tuples and attributes). Each row represents an occurrence of an entity defined by a table, with an entity being a person, place, thing, or other object about which the table contains information.
To prevent the compromise of sensitive information (credit card numbers, social security numbers, etc.) when stored in databases, industry standards and security/privacy regulations often mandate the use of encryption. Such standards and laws include the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and others.
Encryption is the process of translating data (clear text) into a form that is not interpretable (cipher text) should the data be compromised. This translation is done using strong cryptographic algorithms in conjunction with secret keys. The correct secret key is required to reverse the translation such that the original data can be interpreted.
Protection of the secret keys is critical to the security of the encrypted data. As such, key management best practices call for secure generation of keys, secure storage of keys, secure distribution of keys, restricted access to keys, and periodic key rotation.
Key rotation is generally defined as a process for replacement of a cryptographic key and includes the process of decrypting data with the original cryptographic key and subsequent re-encryption of the data with the new cryptographic key. Key rotation is often used when there is some indication that a key has been compromised. However, some regulations (such as PCI DSS) simply mandate periodic changing of keys “as deemed necessary.”
Most database encryption solutions provide for key rotation and generally will include utilities to perform the decryption/re-encryption operations and some implementations require that the database be offline during the key rotation process. But, in all cases, the key rotation process tends to be very CPU intensive and disruptive of normal query processing. This is particularly true if the amount of encrypted data is large—as is common for many data warehouse implementations. Further, unavailability of the data during the key rotation process may adversely affect applications involving tactical queries that are common for many active data warehouse implementations.