Thursday, March 26, 2009

How Much Customer Demand Does the SDS Team Need to Get Encryption in SDS V1?

Update 3/26/2009: Reply from Microsoft’s Dave Robinson

I posted the this question in the SQL Data Services (SDS) - Getting Started forum:

The SQL Data Services team answered my “Will SDS support Database Encryption, certificate and key management?” question on March 12, 2009 with the following statement: “Database encryption? Not initially, but it’s on the list and as we have demonstrated – if there is sufficient customer demand, it will be one of the first things we add after v1.” (http://blogs.msdn.com/ssds/archive/2009/03/12/9471765.aspx.)

Encryption, preferably Transparent Data Encryption, is critical for any organization handling Personally Identifiable data (PII). PCI, HIPAA, and Calif. Senate Bill 1386 require PII to be stored encrypted. I expect more legislation and regulation in this area in 2009/2010.

Client-side encryption/decryption is a pain and generates severe performance penalties. Salting required by AES encryption requires adding columns of HMAC (hashed plaintext) values to enable WHERE encryptedcolumn = 'HMACvalue' equality searches. Range searches aren't possible with column-based encryption.

I’ll update this post when a team member replies.


Dave Robinson replied as follows a couple of hours after I posted the preceding question:

Roger,

Required customer demand for a certain feature is relative. When we speak to customers we typically solicit feedback regarding certain features and encryption is one of them. We do understand the encryption requirements set forth by certain policies and mandates. We also understand the pain and performance issues with performing client side encryption. We are paying close attention to customer requests for encryption, and postings such as this one are extremely valuable and don't fall on deaf ears.

Thanks for the feedback and I have placed a check mark next to your name in the "Wants Encryption" column

-Dave

Dave’s reply was encouraging but wasn’t an answer.

0 comments: