Database Encryption? Also - who should have access DB utilities? - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Database Encryption? Also - who should have access DB utilities?

  1. #11
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Encrypting internal databases is frequently just not practical or even feasible.

    How many different individuals, groups, and departments can access the same data? Different data? Different crossovers? In your situation all data may be at a 1:1 ratio, lucky you push for encryption, this however is highly unlikely. Database encryption is most useful when used in web applications, to prevent a compromise of the database from disclosing client information in an unacceptable manner.

    Although it is true that you could develop an DB interface application which contains all the keys and uses different passphrases to grant different types of access... this new application had better be developed really well or it will be a huge hole granting even more access than most flavors of DB compromise.

    To answer your second question... only users that require access to specific DB utilities in order to do their job should be granted access to those utilities. Additionally users with greater privileges should receive more secure computing education.

    cheers,

    catch

  2. #12
    Senior Member
    Join Date
    Jan 2005
    Posts
    100
    catch - great thanks for the information!

    also -

    To answer your second question... only users that require access to specific DB utilities in order to do their job should be granted access to those utilities. Additionally users with greater privileges should receive more secure computing education.
    Ok - that sounds logical - have you run into any good tools to test the databases in general? So far - I have not found anything worthwhile - but then again - I am new to auditing DBs. Also - is there a tool that would work against various DB platforms (e.g., Sybase, Oracle, MS-SQL, etc.)? Or would any testing be more process driven; like what I have been thus far?

    all - after reading your responses, it seems that I should not 'ding' DBS for not encrypting their data - I however may make a written observation that will include the wisdom I have gleaned here. Additionally - I need to follow up with Legal to find out about any local legislation this area needs to comply with - so far nothing.

    thanks again everyone!
    \"An ant may well destroy a whole dam.\" - Chinese Proverb
    \"Not only can water float a craft, it can sink it also.\" - Chinese Proverb

    http://www.AntiOnline.com/sig.php?imageid=764

  3. #13
    Senior Member
    Join Date
    Jan 2005
    Posts
    128
    If your running MS-SQL, i can safely assume your running an Active Directory Environment, in that case, implement IPSEC, its cross platform and provides encryption (kerberos can be used) and authentication (well, Active Directory atleast)....

    This method will stop hackers from packet sniffing the information, however, as stated before, this is only protecting against another revenue of attack, more layers maybe needed....
    http://sfx-images.mozilla.org/affili...88x31/take.gif
    If You\'ve Done Something Right. People Wont Know You\'ve Done Anything At All - God (futurama)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •