Database Encryption? Also - who should have access DB utilities?

Encrypting internal databases is frequently just not practical or even feasible.

How many different individuals, groups, and departments can access the same data? Different data? Different crossovers? In your situation all data may be at a 1:1 ratio, lucky you push for encryption, this however is highly unlikely. Database encryption is most useful when used in web applications, to prevent a compromise of the database from disclosing client information in an unacceptable manner.

Although it is true that you could develop an DB interface application which contains all the keys and uses different passphrases to grant different types of access... this new application had better be developed really well or it will be a huge hole granting even more access than most flavors of DB compromise.

To answer your second question... only users that require access to specific DB utilities in order to do their job should be granted access to those utilities. Additionally users with greater privileges should receive more secure computing education.

cheers,

catch

catch - great thanks for the information!

also -

Quote:

---

To answer your second question... only users that require access to specific DB utilities in order to do their job should be granted access to those utilities. Additionally users with greater privileges should receive more secure computing education.

---

Ok - that sounds logical - have you run into any good tools to test the databases in general? So far - I have not found anything worthwhile - but then again - I am new to auditing DBs. Also - is there a tool that would work against various DB platforms (e.g., Sybase, Oracle, MS-SQL, etc.)? Or would any testing be more process driven; like what I have been thus far?

all - after reading your responses, it seems that I should not 'ding' DBS for not encrypting their data - I however may make a written observation that will include the wisdom I have gleaned here. Additionally - I need to follow up with Legal to find out about any local legislation this area needs to comply with - so far nothing.

thanks again everyone!

If your running MS-SQL, i can safely assume your running an Active Directory Environment, in that case, implement IPSEC, its cross platform and provides encryption (kerberos can be used) and authentication (well, Active Directory atleast)....

This method will stop hackers from packet sniffing the information, however, as stated before, this is only protecting against another revenue of attack, more layers maybe needed....