These days, it's not a question of 'if' a database will be breached, but rather 'when.'
If data is only protected with at-rest encryption, the encryption key is likely stored in the database alongside the protected data. If the database is breached, anyone can decrypt the data with the key, rendering the encryption moot.
Client-side + Server-side Protection
A combination of E3Kit's end-to-end encryption and PureKit's password-hardening + post-compromise data protection ensures that encrypted data is separated from any keys that could be used to convert it back to plaintext.
With end-to-end encryption, data is locked on the client side and all keys are stored by the client as well. An attacker will only see scrambled jibberish stored in the database, without any way to decrypt it.
PureKit offers password security that is resistant against brute force attacks and does not require users to change their passwords even if your database is breached. It can also be used to protect sensitive data like PHI or PIFI stored in the database.
With PureKit, the passwords and data are transformed so that they can only be accessed when the password itself is entered correctly and a remote crypto server then unlocks the password and/or protected data. The service provider never sees the password, and therefore the system can only be compromised by an attacker successfully breaching the service provider and the remote crypto server simultaneously.
This provides post-compromise protection, because even if there is unauthorized database access, the passwords and protected data will not be accessible.
Transparent Data Encryption (TDE) protects you from stealing database files but is useless if someone gets access to a live instance by stealing credits or via SQL injection.
Together these products overcome TDE flaws and allow companies to build secure infrastructures - online and offline.
Get started today at https://developer.virgilsecurity.com/docs/use-cases.