jasona.work - Wednesday, July 26, 2017 11:28 AM
Thanks for the replies!
Before anyone twigs, this is a system that needs to be PCI DSS compliant. TDE was suggested by one of our DBA's (I'm a developer) as an option, but I am not sure whether this will tick all the boxes all the way.
In regards to the staging database, I could potentially lock it down to only SA and a required service account(s). The Staging database is simply that - I need to get the data into SQL Server some how and this would be the first point. Other processes would then consume and convert the data. The plan was to drop all tables in the staging database as soon as the data has been loaded further down stream. TDE was to be implemented, purely if there is a failure or a delay and to tick a box for the auditors that says "at rest"....... I would dearly love to implement always encrypted between the BCP process out of Sybase and the SQL Server database, but I am not sure whether that is at all possible (this is where I drop in some rubbish about ASE being 5 versions behind SQL Server 😉 )
In regards to the ODS, from the way I understand it, TDE would cover off "encrypted", but as rightly stated above, the data would still be freely available to those who can log in and have access to the tables, whether they need it or not, which most certainly doesn't tick any boxes at all. I am wondering whether applying dynamic data masking to restricted fields to all users would cover that off? Or do I need to go down the path of applying Column Encryption WITH dynamic data masking?