RE: Encrypt data - SQL Server 2000
From: Harbar, Spencer (spencer.harbar_at_dns.co.uk)
Date: 01/21/04
- Previous message: andreas: "RE: Encrypt data - SQL Server 2000"
- Maybe in reply to: Eduardo.Ortiz_at_alderwoods.com: "Encrypt data - SQL Server 2000"
- Next in thread: Fred Langston: "RE: Encrypt data - SQL Server 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 Jan 2004 15:05:46 -0000 To: <focus-ms@securityfocus.com>
if you really want to do encryption on the app server (which I don't
recommend - see my previous reply) look at http://www.aspencrypt.com/
which is dead easy to use (even for ASP devs)
s.
-----Original Message-----
From: andreas [mailto:andreas@san-andreas.com]
Sent: 20 January 2004 21:39
To: silkm@hushmail.com; kcasey@nanoweb.com; focus-ms@securityfocus.com
Subject: RE: Encrypt data - SQL Server 2000
True, but my SQL guys are my ASP programmers. While correct application
of DB encryption would preclude the DBAs from mucking about in the data,
they very well may be the ones implementing the technology.
There are plenty of resources, Microsoft being one of them, but as to it
being applicable, understandable or available that is a different story.
Technet is of little help when trying to figure out how to employ EFS
for database protection or even get an idea of the best practices for
having a single encrypted table.
Andreas
-----Original Message-----
From: silkm@hushmail.com [mailto:silkm@hushmail.com]
Sent: Tuesday, January 20, 2004 4:27 PM
To: kcasey@nanoweb.com; focus-ms@securityfocus.com;
andreas@san-andreas.com
Subject: RE: Encrypt data - SQL Server 2000
Well the point here is the DBA's don't need to know anything about the
encrypted data ... just have them create tables to hold it.
You need to educate your progammers on how to encrypt it, and there are
plenty of resources for that no matter what language you choose.
-----Original Message-----
From: andreas [mailto:andreas@san-andreas.com]
Sent: Wednesday, 21 January 2004 1:19 AM
To: 'Kevin E. Casey'; focus-ms@securityfocus.com
Subject: RE: Encrypt data - SQL Server 2000
Any good resources for researching/educating my DBAs? I have not had
luck finding specific enough information on the subjects. My DB skills
here are not as strong as I would like them to be, and not as strong as
they will need to be in the future.
Thanks!
Andreas Barbiero
CTO ETS/Financialcampus
-----Original Message-----
From: Kevin E. Casey [mailto:kcasey@nanoweb.com]
Sent: Friday, January 16, 2004 12:01 PM
To: focus-ms@securityfocus.com
Subject: RE: Encrypt data - SQL Server 2000
If you need to encrypt data in 3 columns and 3 columns only, your best
bet is to do the encryption at the application (in its data tier) level.
Using .NET (or other tools), gives you a good range/assortment of tools
and sencryption schemes to encrypt that confidential data. This keeps
your DBAs from snooping around. Keeps backup copies safe from prying
eyes and it also keeps the performance hit for en/decryption at the
client (or web server level).
-----Original Message-----
From: Nero, Nick [mailto:Nick.Nero@disney.com]
Sent: Thursday, January 15, 2004 5:09 PM
To: Eduardo.Ortiz@alderwoods.com; focus-ms@securityfocus.com
Subject: RE: Encrypt data - SQL Server 2000
Encrypting data on a database is tricky. If you must have table/row
level encryption, then it is really tough to find a decent product and
performance is abyssmal. I recently authored a document that proposes
using Microsoft's own EFS to encrypt the whole volume where the Database
is. This solution was easy, performed great (about 5-25% hit on
performance compared to 400% on DBCrypt) and best of all it is free. I
would strongly recommend using Windows 2003 server for your SQL2k since
its version of EFS uses AES at 256bit. Otherwise you need to hack the
reg on Win2k to enable 3DES encryption. Either is not gonna get cracked
by someone anytime soon.
The
beauty of this solution is that you encrypt the database with the SQL
Service account so that only that account can read the data. That way
even an local admin on the box cannot access the data. You could even
boot to a NTFS boot disk and the data would be encrypted. This depends
on proper key management (as all crytpo plans do) so you have to ensure
you use a domain account or roaming profile so the encryption key can
not be exploited locally (see http://www.elcomsoft.com/aefsdr.html for
more on this exploit) and domain recovery agent policy. Still we feel
it delivers extremely secure databases, acceptable performance and zero
cost.
We tested several products and I believe DBEncrypt (or maybe DbCrypt)
was one of them. They all were several thousand dollars per server (and
that was for a license of over 100 servers), and would require massive
hardware investments to compensate for the performance penalty. Like I
said, If you must have row/table level encryption to protect against
other DBA's then you are stuck. At that point I would say you should
either limit who has SA access, or more strongly background check those
that do cause that level of encryption will cost you far more. A DB on
an encrypted drive with strong application level security (ie, custom
views), would only be breakable at the app or by getting SA credentials.
There are far easier targets out there.
-----Original Message-----
From: Eduardo.Ortiz@alderwoods.com [mailto:Eduardo.Ortiz@alderwoods.com]
Sent: Thursday, January 15, 2004 1:02 PM
To: focus-ms@securityfocus.com
Subject: Encrypt data - SQL Server 2000
Hello,
We are implementing an Enterprise Data Warehouse. We already have data
regarding different business process. Now we need to include Payroll
data in our SQL Server (2000) database. Business users have specific
security requirements about this sensitive data. They want to secure the
following
information:
* Annual employee salaries
* Commissions
* Wages
This information is stored in two tables and are three different
columns.
We have already implemented a tight security schema for the server,
database and user groups (active directory), but business users want
more security.
Now we are planning to encrypt the data (just these three
columns) in the database. I did not find any function in SQL Server to
encrypt data. I found a tool provided by Application Security Inc
(http://www.appsecinc.com) called DbEncrypt. Have you guys heard or
worked with tool? Do you any suggestion or recommendation to encrypt the
data?
Thanks,
Eduardo Ortiz
---------------------------------------------------------------------
--- --- --------------------------------------------------------------------- --- --- --------------------------------------------------------------------- --- --- --------------------------------------------------------------------- --- --- --------------------------------------------------------------------- ------ --------------------------------------------------------------------- ------ --------------------------------------------------------------------- ------ --------------------------------------------------------------------- ------ Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------- This email from dns has been validated by dnsMSS Managed Email Security and is free from all known viruses. For further information contact email-integrity@dns.co.uk --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: andreas: "RE: Encrypt data - SQL Server 2000"
- Maybe in reply to: Eduardo.Ortiz_at_alderwoods.com: "Encrypt data - SQL Server 2000"
- Next in thread: Fred Langston: "RE: Encrypt data - SQL Server 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
