Evaluating Data
Encryption Solutions
Executive Summary
Today, many organizations are
evaluating or implementing
solutions for encrypting data at
rest, both as a means to combat
data theft and to ensure
compliance with a range of
legislative and industry mandates.
For encryption to adequately and
cost-effectively address security
gaps, organizations must manage
their implementation in a way
that is best suited to their
specific infrastructure and
security policies. One of the key
decisions confronting
organizations considering data at
rest encryption is whether to
deploy software-based products
or hardware-based solutions
such as SafeNet™ DataSecure™
Platforms. This document
outlines the main differences
between the two alternatives,
offering information on such
criteria as security, performance,
and manageability.
A Comparison of Hardware-based vs.
Software-based Alternatives
Table of Contents
Centralized vs. Distributed Key Storage........................................................................................................1
Distributed Key Storage and Software-based Encryption.....................................................................1
Centralized Key Storage with SafeNet DataSecure Platforms.............................................................1
Administration and Access Control................................................................................................................2
Implementation Options....................................................................................................................................2
Scalability and Performance...............................................................................................................................2
Cost of Ownership .............................................................................................................................................3
About SafeNet .....................................................................................................................................................3
Centralized vs. Distributed Key Storage
Distributed Key Storage and Software-based Encryption
Software-based encryption solutions use a distributed key storage mechanism: keys are stored on
the application and database servers on which the data to be encrypted resides.
In the simplest case, where only one database server exists, key management is modestly simple.
However, in an enterprise environment, where the number of application and database servers
often number in the hundreds, it becomes increasingly difficult to manage the cryptographic keys
residing on these servers. In addition, as the complexity of key management increases, the risk of
not backing-up a key, or losing a key, increases exponentially.
When organizations use software-based approaches to encrypt data that is stored on back-end
servers and databases, the cryptographic keys are distributed in a decentralized fashion. This
poses security vulnerabilities because database and application servers are often configured
incorrectly, and not kept up-to-date with the latest security patches, making them easy prey for
cyber attackers outside the organization—and they’re easily accessible to a number of internal
employees that may not have proper security credentials. When cryptographic keys are stored
on unsecured platforms, attackers can gain access to them very quickly because they are often
stored in an easily readable plaintext format. And as more keys are stored on servers, it becomes
even easier to locate and manipulate them.
Centralized Key Storage with SafeNet DataSecure Platforms
Companies have distributed networks, which makes management of the keys and the security
policies behind those keys the most important aspect to securing sensitive data. The SafeNet
DataSecure Platform is a centralized key storage solution. All keys are created, reside on, and
never leave the SafeNet platform. This significantly simplifies management of key backup,
restoration, and key rotation since all keys are stored in one place. The DataSecure platform is
 capable of creating thousands of keys—including those of such robust encryption algorithms such
as RSA, 3DES, and AES—that can be used by multiple application or database servers.

Additionally, when an encryption key is “at rest” on the internal DataSecure disk, it is twice-
encrypted for added security using several internal SafeNet keys designed for this purpose.
Customers can also choose a DataSecure Platform containing a FIPS 140-2 Level 3-compliant
hardware security module, which supports U.S. government requirements to ensure that the
storage media itself is extremely tamper resistant.

Administration and Access Control

The only way to access the DataSecure platform for administrative purposes is via a secure Web-
management console, a command line interface over SSH, or a direct console connection. Again,
unlike database and application servers, no one can “log on” to the SafeNet platform using a
standard Windows log on, or UNIX shell.

Access to SafeNet platforms is restricted to SafeNet utilities and commands designed to manage
and maintain the SafeNet appliance. The DataSecure appliance has been hardened for security: all
TCP listeners and services typically found on application or database servers do not exist.
Consequently, it is impossible to search for keys residing on the DataSecure platform.

For added security, the platform can be configured so that individual administrators are granted
access only to areas for which they are responsible. DataSecure offers over 20 access control
lists (ACLs), which offer granular control over administrative functions. For example, one
administrator might only b given access to network configuration functions, while another might
only be given access to certificate management controls. This level of granular access control
enables customers to control and closely monitor administration operations. All actions
performed by users and administrators are logged for reporting purposes.

Implementation Options
Software-based encryption solutions generally provide one implementation option: deploying
encryption at the database layer. While this alternative may make sense for certain organizations,
many enterprises need to do encryption elsewhere, sometimes due to infrastructure
requirements or security objectives. With SafeNet, organizations can implement encryption at
multiple tiers within the infrastructure, and a single appliance can be integrated with a number of
Web servers, application servers, and databases. This affords enterprises with a great deal of
flexibility to adapt encryption to their specific performance, implementation, and security
requirements. For example, an organization may choose to have an application server that resides
in a relatively open, insecure portion of the network have permission to do only encrypt
requests, while a database residing in a more secure location would be able to make decryption
calls.

Scalability and Performance

Software-based cryptographic solutions do not scale because all cryptographic operations are
performed on the application or database server’s CPU. This typically adds 10 to 25% to the
existing load on a database server and this solution is inherently flawed when you consider
scalability; the customer must add application and database servers when their server’s load
threshold is exceeded. This can significantly increase the cost-of-ownership when factoring in the
cost of new hardware and software (operating system, database licenses, and encryption
software).

On the other hand, the SafeNet solution offloads all cryptographic operations to the DataSecure
server. This practically alleviates any additional load on the customer’s servers and it permits
DataSecure to scale horizontally. That is, the customer can add as many SafeNet cryptographic
servers as required, by inserting another SafeNet appliance into the cluster. Performance can be
increased as needed and the customer can scale their database encryption as their organization

White Paper: Evaluating Data Encryption Solutions—Page 2 of 3

 and transaction rates grow. One DataSecure appliance can have many databases and or
application servers accessing it simultaneously for different cryptographic needs.

Cost of Ownership
As illustrated above, it is far more complex to manage keys, users, and security policies with a
software-based encryption solution than with a centralized hardware offering. This complexity
increases as software-based cryptographic solutions are deployed across a large number of
application and database servers and this problem is significantly magnified in an enterprise
environment, where architectures are typically comprised of hundreds of applications and many
databases.

Although software-based encryption solutions typically require a smaller initial investment than a
hardware-based solution, the IT costs of deploying and administering these software-based
solutions in complex enterprise environments often makes the long-terms costs of these
solutions prohibitive.

About SafeNet
In 2007, SafeNet was acquired by Vector Capital, a $2 billion private equity firm specializing in the
technology sector. Vector Capital acquired Aladdin in March of 2009, and placed it under
common management with SafeNet. Together, these leading global companies are the third
largest information security company in the world, which brings to market integrated solutions
required to solve customers’ increasing security challenges. SafeNet’s encryption technology
solutions protect communications, intellectual property and digital identities for enterprises and
government organizations. Aladdin’s software protection, licensing and authentication solutions
protect companies’ information assets and employees from piracy and fraud. Together, SafeNet
and Aladdin have more than 50 years of security expertise in more than 100 countries around
the world. Aladdin is expected to be fully integrated into SafeNet in the future. For more
information, visit www.safenet-inc.com or www.aladdin.com.

SafeNet

Corporate Headquarters

4690 Millennium Drive

Belcamp, MD 21017
Tel: +1 410 931 7500
Tel: 1 800 533 3958 - Sales
TTY Users: +1 800 735 2258
FAX: +1 410 931 7524

www.safenet-inc.com

©2009 SafeNet, Inc. All rights reserved. SafeNet and the SafeNet logo are registered trademarks of SafeNet, Inc. All
other product names are trademarks of their respective owners.

White Paper: Evaluating Data Encryption Solutions—Page 3 of 3