RE: Encrypt data - SQL Server 2000
silkm_at_hushmail.com
Date: 01/20/04
- Previous message: Michael Silk: "RE: Encrypt data - SQL Server 2000"
- Maybe in reply to: Eduardo.Ortiz_at_alderwoods.com: "Encrypt data - SQL Server 2000"
- Next in thread: andreas: "RE: Encrypt data - SQL Server 2000"
- Reply: andreas: "RE: Encrypt data - SQL Server 2000"
- Reply: Stacy Millions: "RE: Encrypt data - SQL Server 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 20 Jan 2004 13:27:00 -0800 To: kcasey@nanoweb.com, focus-ms@securityfocus.com, andreas@san-andreas.com
Well the point here is the DBA's don't need to know anything
about the encrypted data ... just have them create tables to
hold it.
You need to educate your progammers on how to encrypt it, and
there are plenty of resources for that no matter what language
you choose.
-----Original Message-----
From: andreas [mailto:andreas@san-andreas.com]
Sent: Wednesday, 21 January 2004 1:19 AM
To: 'Kevin E. Casey'; focus-ms@securityfocus.com
Subject: RE: Encrypt data - SQL Server 2000
Any good resources for researching/educating my DBAs? I have not had
luck
finding specific enough information on the subjects. My DB skills here
are
not as strong as I would like them to be, and not as strong as they will
need to be in the future.
Thanks!
Andreas Barbiero
CTO ETS/Financialcampus
-----Original Message-----
From: Kevin E. Casey [mailto:kcasey@nanoweb.com]
Sent: Friday, January 16, 2004 12:01 PM
To: focus-ms@securityfocus.com
Subject: RE: Encrypt data - SQL Server 2000
If you need to encrypt data in 3 columns and 3 columns only, your best
bet
is to do the encryption at the application (in its data tier) level.
Using .NET (or other tools), gives you a good range/assortment of tools
and
sencryption schemes to encrypt that confidential data. This keeps your
DBAs
from snooping around. Keeps backup copies safe from prying eyes and
it also
keeps the performance hit for en/decryption at the client (or web server
level).
-----Original Message-----
From: Nero, Nick [mailto:Nick.Nero@disney.com]
Sent: Thursday, January 15, 2004 5:09 PM
To: Eduardo.Ortiz@alderwoods.com; focus-ms@securityfocus.com
Subject: RE: Encrypt data - SQL Server 2000
Encrypting data on a database is tricky. If you must have table/row
level
encryption, then it is really tough to find a decent product and performance
is abyssmal. I recently authored a document that proposes using Microsoft's
own EFS to encrypt the whole volume where the Database is. This solution
was easy, performed great (about 5-25% hit on performance compared to
400%
on DBCrypt) and best of all it is free. I would strongly recommend using
Windows 2003 server for your SQL2k since its version of EFS uses AES
at
256bit. Otherwise you need to hack the reg on Win2k to enable 3DES
encryption. Either is not gonna get cracked by someone anytime soon.
The
beauty of this solution is that you encrypt the database with the SQL
Service account so that only that account can read the data. That way
even
an local admin on the box cannot access the data. You could even boot
to a
NTFS boot disk and the data would be encrypted. This depends on proper
key
management (as all crytpo plans do) so you have to ensure you use a domain
account or roaming profile so the encryption key can not be exploited
locally (see http://www.elcomsoft.com/aefsdr.html for more on this exploit)
and domain recovery agent policy. Still we feel it delivers extremely
secure databases, acceptable performance and zero cost.
We tested several products and I believe DBEncrypt (or maybe DbCrypt)
was
one of them. They all were several thousand dollars per server (and
that
was for a license of over 100 servers), and would require massive hardware
investments to compensate for the performance penalty. Like I said,
If you
must have row/table level encryption to protect against other DBA's then
you
are stuck. At that point I would say you should either limit who has
SA
access, or more strongly background check those that do cause that level
of
encryption will cost you far more. A DB on an encrypted drive with strong
application level security (ie, custom views), would only be breakable
at
the app or by getting SA credentials.
There are far easier targets out there.
-----Original Message-----
From: Eduardo.Ortiz@alderwoods.com [mailto:Eduardo.Ortiz@alderwoods.com]
Sent: Thursday, January 15, 2004 1:02 PM
To: focus-ms@securityfocus.com
Subject: Encrypt data - SQL Server 2000
Hello,
We are implementing an Enterprise Data Warehouse. We already have data
regarding different business process. Now we need to include Payroll
data in
our SQL Server (2000) database. Business users have specific security
requirements about this sensitive data. They want to secure the following
information:
* Annual employee salaries
* Commissions
* Wages
This information is stored in two tables and are three different columns.
We have already implemented a tight security schema for the server, database
and user groups (active directory), but business users want more security.
Now we are planning to encrypt the data (just these three
columns) in the database. I did not find any function in SQL Server to
encrypt data. I found a tool provided by Application Security Inc
(http://www.appsecinc.com) called DbEncrypt. Have you guys heard or worked
with tool? Do you any suggestion or recommendation to encrypt the data?
Thanks,
Eduardo Ortiz
---------------------------------------------------------------------
--- --- --------------------------------------------------------------------- --- --- --------------------------------------------------------------------- --- --- --------------------------------------------------------------------- --- --- --------------------------------------------------------------------- ------ --------------------------------------------------------------------- ------ --------------------------------------------------------------------- ------ --------------------------------------------------------------------- ------ Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Michael Silk: "RE: Encrypt data - SQL Server 2000"
- Maybe in reply to: Eduardo.Ortiz_at_alderwoods.com: "Encrypt data - SQL Server 2000"
- Next in thread: andreas: "RE: Encrypt data - SQL Server 2000"
- Reply: andreas: "RE: Encrypt data - SQL Server 2000"
- Reply: Stacy Millions: "RE: Encrypt data - SQL Server 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
