We have a database hosted by SQL Azure, and accessed via a REST service that itself is accessible only via https. We wonder though whether we should encrypt all or part of the database in case it was to be accessed by a hacker (we are not a prime target, but students will know of the system). The Azure database is set up with firewall rules to allow only a few systems access.
Would encrypting add anything meaningful? Would it just be security theatre? Or is database encryption best-practice regardless.
Your REST API is going to be the weak link here, especially if you have the SQL Azure firewall locked down (and you can even lock it down to the point that only Windows Azure Compute instances may access it).
SQL Azure has no built-in encryption mechanism, so you’d need to perform this step in your data access layer (or directly in the REST API implementation methods). Same goes for decryption. So… as @Bart pointed out: if someone breaches security on your REST API, they’re going to have access to unencrypted data (related to the credentials used during the breach).
Regarding general database encryption practices: If you encrypt/decrypt in the cloud, then at some point, data at rest is unencrypted (which is critical when thinking about PII).