adfa, p. 1, 2013. © Springer-Verlag Berlin Heidelberg 2013 A Specific Encryption Solution for Data Warehouses Ricardo Jorge Santos 1 , Deolinda Rasteiro 2 , Jorge Bernardino 3 and Marco Vieira 4 1, 4 CISUC – FCTUC – University of Coimbra – 3030-290 Coimbra – Portugal 2 DFM – ISEC – Polytechnic Institute of Coimbra – 3030-190 Coimbra – Portugal 3 CISUC – ISEC – Polytechnic Institute of Coimbra – 3030-190 Coimbra – Portugal lionsoftware.ricardo@gmail.com, dml@isec.pt, jorge@isec.pt, mvieira@dei.uc.pt Abstract. Protecting Data Warehouses (DWs) is critical, because they store the secrets of the business. Although published research and best practice guides state encryption is the best way to assure the confidentiality of sensitive data and maintain high performance, this adds overheads that jeopardize their feasi- bility in DWs. In this paper, we propose a Specific Encryption Solution tailored for DWs (SES-DW), using a numerical cipher with variable mixes of eXclusive Or (XOR) and modulo (division remainder) operators. Data storage overhead is avoided by preserving each encrypted column’s datatype, while transparent SQL rewriting is used to avoid I/O and network bandwidth bottlenecks by dis- carding data roundtrips for encryption and decryption purposes. The experimen- tal evaluation using the TPC-H benchmark and a real-world sales DW with Oracle 11g and Microsoft SQL Server 2008 shows that SES-DW achieves bet- ter response time in both inserting and querying, than standard and state-of-the- art encryption algorithms such as AES, 3DES, OPES and Salsa20, while pro- viding considerable security strength. Keywords: Encryption, Confidentiality, Security, Data Warehousing. 1 Introduction Data Warehouses (DWs) store extremely sensitive information used for producing business knowledge and aiding decision support. Unauthorized disclosure is therefore, a critical security issue. To avoid this, encryption is widely used. However, although most encryption solutions provide high security strength, they also introduce very high performance overheads, as shown in [16]. Since decision support queries usually access huge amounts of data (ranging from few MegaBytes to many TeraBytes), re- sulting in substantial response time (usually from minutes to hours) [12], the overhead introduced by using encryption may be unfeasible for DW environments if they are too slow to be considered acceptable in practice [13]. Thus, encryption solutions built for DWs must balance security and performance tradeoff requirements, i.e., they must ensure strong security while keeping database performance acceptable [13, 16]. As the number and complexity of “data-mix” encryption rounds increase, their se- curity strength often improves while performance degrades, and vice-versa. Balancing performance with security in real-world DW scenarios is a complex issue which de- pends on the requirements and context of each particular environment. Most current encryption algorithms are not suitable for DWs, because they have been designed as a general-purpose “one fits all” security solution. This introduces a need for specific solutions for DWs capable of producing better security-performance tradeoffs.