RE: Encrypt data - SQL Server 2000
From: John West (jwest_at_transcendence.net)
Date: 01/21/04
- Previous message: Fred Langston: "RE: Encrypt data - SQL Server 2000"
- In reply to: andreas: "RE: Encrypt data - SQL Server 2000"
- Next in thread: Fred Langston: "RE: Encrypt data - SQL Server 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-ms@securityfocus.com Date: 21 Jan 2004 17:57:27 -0500
I recently met with a company called Ingrian Networks that have an
appliance that does this sort of thing. It is geared toward Java, but
the .NET API is supposed to be published "real soon now". They're at
http://www.ingrian.com/.
Does anyone have any experience with their product? Right now, I've
only seen it on paper. I'm considering getting the product in for an
eval, however.
How often does this sort of problem come up? As a consultant, this has
never been a pressing issue for any of the clients I've worked with. Is
there a set of verticle markets where this is more common? Are all the
solutions less-than-stellar?
Thanks
--John
> -----Original Message-----
> From: Kevin E. Casey [mailto:kcasey@nanoweb.com]
> Sent: Friday, January 16, 2004 12:01 PM
> To: focus-ms@securityfocus.com
> Subject: RE: Encrypt data - SQL Server 2000
>
> If you need to encrypt data in 3 columns and 3 columns only, your best bet
> is to do the encryption at the application (in its data tier) level.
> Using .NET (or other tools), gives you a good range/assortment of tools and
> sencryption schemes to encrypt that confidential data. This keeps your DBAs
> from snooping around. Keeps backup copies safe from prying eyes and it also
> keeps the performance hit for en/decryption at the client (or web server
> level).
>
>
>
>
> -----Original Message-----
> From: Nero, Nick [mailto:Nick.Nero@disney.com]
> Sent: Thursday, January 15, 2004 5:09 PM
> To: Eduardo.Ortiz@alderwoods.com; focus-ms@securityfocus.com
> Subject: RE: Encrypt data - SQL Server 2000
>
> Encrypting data on a database is tricky. If you must have table/row level
> encryption, then it is really tough to find a decent product and performance
> is abyssmal. I recently authored a document that proposes using Microsoft's
> own EFS to encrypt the whole volume where the Database is. This solution
> was easy, performed great (about 5-25% hit on performance compared to 400%
> on DBCrypt) and best of all it is free. I would strongly recommend using
> Windows 2003 server for your SQL2k since its version of EFS uses AES at
> 256bit. Otherwise you need to hack the reg on Win2k to enable 3DES
> encryption. Either is not gonna get cracked by someone anytime soon. The
> beauty of this solution is that you encrypt the database with the SQL
> Service account so that only that account can read the data. That way even
> an local admin on the box cannot access the data. You could even boot to a
> NTFS boot disk and the data would be encrypted. This depends on proper key
> management (as all crytpo plans do) so you have to ensure you use a domain
> account or roaming profile so the encryption key can not be exploited
> locally (see http://www.elcomsoft.com/aefsdr.html for more on this exploit)
> and domain recovery agent policy. Still we feel it delivers extremely
> secure databases, acceptable performance and zero cost.
>
> We tested several products and I believe DBEncrypt (or maybe DbCrypt) was
> one of them. They all were several thousand dollars per server (and that
> was for a license of over 100 servers), and would require massive hardware
> investments to compensate for the performance penalty. Like I said, If you
> must have row/table level encryption to protect against other DBA's then you
> are stuck. At that point I would say you should either limit who has SA
> access, or more strongly background check those that do cause that level of
> encryption will cost you far more. A DB on an encrypted drive with strong
> application level security (ie, custom views), would only be breakable at
> the app or by getting SA credentials.
> There are far easier targets out there.
>
> -----Original Message-----
> From: Eduardo.Ortiz@alderwoods.com [mailto:Eduardo.Ortiz@alderwoods.com]
>
> Sent: Thursday, January 15, 2004 1:02 PM
> To: focus-ms@securityfocus.com
> Subject: Encrypt data - SQL Server 2000
>
> Hello,
>
> We are implementing an Enterprise Data Warehouse. We already have data
> regarding different business process. Now we need to include Payroll data in
> our SQL Server (2000) database. Business users have specific security
> requirements about this sensitive data. They want to secure the following
> information:
> * Annual employee salaries
> * Commissions
> * Wages
> This information is stored in two tables and are three different columns.
> We have already implemented a tight security schema for the server, database
> and user groups (active directory), but business users want more security.
> Now we are planning to encrypt the data (just these three
> columns) in the database. I did not find any function in SQL Server to
> encrypt data. I found a tool provided by Application Security Inc
> (http://www.appsecinc.com) called DbEncrypt. Have you guys heard or worked
> with tool? Do you any suggestion or recommendation to encrypt the data?
>
> Thanks,
> Eduardo Ortiz
>
>
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ---
>
>
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ---
>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>
>
>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
-- John West jwest@transcendence.net -><- 'tis an ill wind that blows no minds -><-
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Fred Langston: "RE: Encrypt data - SQL Server 2000"
- In reply to: andreas: "RE: Encrypt data - SQL Server 2000"
- Next in thread: Fred Langston: "RE: Encrypt data - SQL Server 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
