This blog title may seem a little odd at first. Then again today's news is rife with stories about data breaches, therefore on second thought it's not as odd a title as you may have initially thought. So when is your data actually safe? Since almost all data these days is held in some database somewhere, the real question is when is the data within that database safe?
In the good old days (for those of us old enough to remember them or at least not so old as to have forgotten), company databases were as safe as a castle behind a moat with possibly the singular drawbridge of dial-in modem access. Generally that access was to a centrally controlled server that simply allowed employees with their existing corporate data access credentials to get access to the same databases as they could onsite from their desks. In general the drawbridge was up and safe - with oversight by guards in the ramparts and towers. An occasional rogue would break in and do limited damage. Generally that damage was limited due to the slow speed of modem communications. Anyone remember 300 baud?
Nowdays though we are in a bold new world where literally there are billions of devices with internet based access to literally every point on earth. Even top secret government sites have internet access as the world we work in is so distrubuted that lone sites doing all the work on a project is a thing of the past. So now our castle is more like a Swiss cheese with mice on all sides - and hungry mice at that. But to compete and sometimes just to function that is the world we live in. So database security is now more paramount than ever before.
Not long ago the only time data was in jeopardy was generally when it was placed into motion by an application (refer back to my blog on The Physics of Data for additional detail). So data thieves would look for ways to hack or trick application code to obtain illegitimate access to otherwise protected data. However these days even data at rest sitting on disk is open to attack. Imagine a criminal simply downloading a database file or copying it onto a flash disk. Once back at their lairs they don't need the applications - they have the raw data itself which is the real asset.
At first disk drive and storage vendors added the ability to encrypt the data when written to the actual magnetic media itself. And for a time that additional layer of security was sufficient. But soon hackers learned how to overcome this protection, often because it was based upon rather simple, static encryption techniques. Hence these days many database vendors now offer the ability to natively encrypt data they write to storage using many different and dynamic techniques to offer yet an additional level of protection. Some database vendors charge for this capability, some do not. Today's database administrators should be utilizing such data protection no matter what. The costs these days are too great not too.