if I encrypt key data why do I want or need SSL?

Just curious why people freak out about not having SSL and/or having a SQL
Server port 1433 open.

If I do the following why do I care about SSL or port 1433?

1. 40 character passwords for all SQL accounts
2. any sensitive data written to the SQL server is encrypted (via one of
numerous encryption methods provided in .NET 2.0) in the database
3. any sensitive data sent over http is encrypted (via one of numerous
encryption methods provided in .NET 2.0)
4. the encryption key itself is encrypted and stored in a location that
would be hard to find even if someone had admin rights to the server and the
only DLL that can deal with the key is a signed assembly with a strong name
key file.
5. all cookie information that is sensitive is encrypted
6. all "user accounts" (data mining folks) only access data feeds
(databases) that do not contain sensitive data

I use SSL to communicate with external sources that require it, but they pay
for an maintain their certificates. I do provide split tunnel VPN solutions
for the more paranoid clients, but it seems to me that we've sorta gone
overboard on security (applied too many layers). I'm all for intelligent
security, but not for some of the wacky overkill blanket solutions I see out
there -- solutions that still have vulnerability from user accounts. The
folks that are hacking into CC data and the like are doing so because
company X had obvious open holes (easy to guess user account, using default
passwords, etc. etc.).

What it seems the end result is, companies that are paranoid, seeking
blanket solutions, but still vulnerable to simple password/userID hacking.

In the systems I design and build, even if a userID/passsword we're hacked
(extremely unlikely with 40 character passwords on all accounts that are
meaningful) they would still be confronted with encrypted data which will be
completely useless to them. Even if they guessed the sa account password
and deleted the database that would be a hassle (aka gotta get an offsite
backup) but still NO sensitive data was compromised.

Rob


.

Relevant Pages

  • Re: if I encrypt key data why do I want or need SSL?
    ... any sensitive data written to the SQL server is encrypted (via one ... numerous encryption methods provided in .NET 2.0) in the database ... all "user accounts" only access data feeds ... open holes (easy to guess user account, using default passwords, etc. ...
    (microsoft.public.dotnet.security)
  • Re: if I encrypt key data why do I want or need SSL?
    ... any sensitive data written to the SQL server is encrypted (via ... numerous encryption methods provided in .NET 2.0) in the database ... all "user accounts" only access data feeds ... open holes (easy to guess user account, using default passwords, ...
    (microsoft.public.dotnet.security)
  • Re: XP File Encryption
    ... EFS encryption is tied to the encrypting account ... Did you export any EFS keys from the old install? ... restore it and log in as the accounts with EFS ... encrypted data, using the passwords they last had, ...
    (microsoft.public.windowsxp.security_admin)
  • simple encyption and decryption function
    ... Anyone can suggest how to handle some sensitive data, such as passwords, by ... using simple encryption and decryption function or component? ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: EFS - Encryption and User Migration
    ... > 4) SOURCE holds user accounts and groups ... > network login script depending upon their logonserver. ... create a dummy user, setup the encryption, migrate the account to the other ... > and encrypted data, we have no real way of knowing this. ...
    (microsoft.public.windows.server.general)