SQLServerCentral / Editorials / SQLServerCentral.com / Regulators, Mount Up / Latest Posts

RE: Regulators, Mount Up

Rod at work — Thu, 29 Nov 2012 15:24:27 GMT

[quote][b]Steve Jones - SSC Editor (11/29/2012)[/b][hr]Custom encryption should use industry standard algorithms. You can search for blowfish, AES, etc. or use the implementations that are build into Windows. As Miles noted, it's not that hard. There's a whole namespace in .NET that works well: [url]http://msdn.microsoft.com/en-us/library/system.security.cryptography%28v=VS.71%29.aspx[/url]The hard part is key management. If you are going to do this in the app layer (and you can), be sure you protect those keys well. If they are easily decompiled from your app, you're not doing it right.They can be stored in the db layer, in which case most of the time you need a password to protect them, and that needs to be protected as well.[/quote]Thank you, Steve.

RE: Regulators, Mount Up

TravisDBA — Thu, 29 Nov 2012 14:18:20 GMT

[quote][b]John Hanrahan (11/28/2012)[/b][hr]It has been 15 years since I have gotten a gov contract. I suppose you are going to tell me it is really that bad. :-D[/quote]Yes, it is that bad. the government bureaucracy and rules are almost mindblowing, it has grown to elephantine proportions..:-D

RE: Regulators, Mount Up

Steve Jones - SSC Editor — Thu, 29 Nov 2012 14:14:50 GMT

Custom encryption should use industry standard algorithms. You can search for blowfish, AES, etc. or use the implementations that are build into Windows. As Miles noted, it's not that hard. There's a whole namespace in .NET that works well: [url]http://msdn.microsoft.com/en-us/library/system.security.cryptography%28v=VS.71%29.aspx[/url]The hard part is key management. If you are going to do this in the app layer (and you can), be sure you protect those keys well. If they are easily decompiled from your app, you're not doing it right.They can be stored in the db layer, in which case most of the time you need a password to protect them, and that needs to be protected as well.

RE: Regulators, Mount Up

Rod at work — Thu, 29 Nov 2012 12:45:10 GMT

[quote][b]Miles Neale (11/29/2012)[/b][hr]I have no IPod, do not kick the old or take candy from babies, but I do encrypt data. Not all data but that in the sensitive class of data. It is not hard to do, it is easy to decrypt and salting with an appropriate key is not that hard either. When needed it is done. Real simple. The cost is not that much if you standardize on how the data is encrypted. A developer can write a service to both encrypts and decrypt without a lot of pain. And by passing a code you can do one of many types of encryption and/or hashing.Then once done you have the vehicle ready and all you need to do is standardize your approach and start using. Also I appreciate your comment Steve, just because you encrypt you are not immune to other hacks or attacks. Believing that if you hash or encrypt you do not need other precautions is like believing that if you wear a hat your feet will not get wet. It is odd how we convince ourselves otherwise.M.[/quote]I hadn't considered the possibility of doing custom encryption/decryption. I know that SQL Server has a way of encrypting data, but it is a one-way encryption, unless I'm mistaken. Interesting thought, Miles, thank you.

RE: Regulators, Mount Up

Miles Neale — Thu, 29 Nov 2012 09:28:24 GMT

I have no IPod, do not kick the old or take candy from babies, but I do encrypt data. Not all data but that in the sensitive class of data. It is not hard to do, it is easy to decrypt and salting with an appropriate key is not that hard either. When needed it is done. Real simple. The cost is not that much if you standardize on how the data is encrypted. A developer can write a service to both encrypts and decrypt without a lot of pain. And by passing a code you can do one of many types of encryption and/or hashing.Then once done you have the vehicle ready and all you need to do is standardize your approach and start using. Also I appreciate your comment Steve, just because you encrypt you are not immune to other hacks or attacks. Believing that if you hash or encrypt you do not need other precautions is like believing that if you wear a hat your feet will not get wet. It is odd how we convince ourselves otherwise.M.

RE: Regulators, Mount Up

David.Poole — Thu, 29 Nov 2012 08:50:46 GMT

[quote][b]Jeff Moden (11/28/2012)[/b][hr]I can't help moving furniture. I'm old and it just happens every time I have a bout with gas. :-P[/quote]I know a story about a lady who was in a cafe reading a book and listening to music when she realised she needed to pass gas. Not wanting the embarrassment of being caught and knowing the piece of music she decided to wait for the Crescendo before letting go a real knicker ripper.On seeing the shocked look on the other customers faces she suddenly realised that she had been listening to her iPod.:w00t:

RE: Regulators, Mount Up

jfogel — Wed, 28 Nov 2012 16:41:05 GMT

I worked for a stock trading firm pre-SOX and I thought it odd when the compliance officer opened mail addressed to me. Those were the easy days and since then I've been on the vendor side of public companies in banking and insurance. In this way I've had it easy with the exception of hosted servers in-house. One such client still allows xp_cmdshell. I know, I know but it is important to note that while encryption and such is certainly important, it is equally important that nothing breaks thru the "gates" to get the data. You can't place all the burden on a DBA.Everyone needs sixteen in the clip and one in the hole when it comes to security.

RE: Regulators, Mount Up

Jeff Moden — Wed, 28 Nov 2012 16:37:41 GMT

[quote][b]David.Poole (11/28/2012)[/b][hr]Its amazing what happens if you wave the possiblity of nuking old dead systems in front of a DBA. Their wrinkles vanish, an unfamiliar expression (happy smile) crosses there face and they hit keys faster than a teenager in a Halo death match.I suspect I may have started something here![/quote]Uh huh.... right up 'till the point where we find that they're not actually going to nuke the legacy system and that the rewrite is going to be done by a known 3rd party the wrote the first shedload of hooie. That's when you add the 4th band to your pork chop launcher. ;-)

RE: Regulators, Mount Up

John Hanrahan — Wed, 28 Nov 2012 16:37:29 GMT

It has been 15 years since I have gotten a gov contract. I suppose you are going to tell me it is really that bad. :-D

RE: Regulators, Mount Up

Jeff Moden — Wed, 28 Nov 2012 16:34:00 GMT

[quote][b]Michael Valentine Jones (11/28/2012)[/b][hr][quote][b]TravisDBA (11/28/2012)[/b][hr]It's not just unencrypted data that auditors ding you on nowadays. Wearing many hats at once and doing things outside your job description can definitely get you dinged as well. SarBox standards are very picky on this nowadays..For example, we had an IT guy once caught moving furniture around in his cube and the auditors jumped all over that with managment and the man was reprimanded over it. Not in his job description, don't do it again. If you are a little shop you can still get away with a "Jack-of-all-trades" guy (I don't know for how long though), but that is no longer permitted at most larger shops or government agencies that fall under the strict auditing standards of today. Heck, the auditors dinged us for having our production clusters on the second node, left there after a failover!!!!! Picky, picky...:-D[/quote]My impression is that most "auditors" have no idea what they are doing, and just make things up like "no moving furniture if it isn't in your job description".[/quote]I can't help moving furniture. I'm old and it just happens every time I have a bout with gas. :-P

RE: Regulators, Mount Up

Jeff Moden — Wed, 28 Nov 2012 16:31:43 GMT

[quote][b]David.Poole (11/28/2012)[/b][hr]Regulation is a cloud that can have a bright silver lining.Lets suppose that you have old systems ridden with tech debt and propped up by manual processes.Those powers that be are so used to the situation that the idea that the tech debt or the manual processes are a problem just doesn't register. They are chasing the new shiny ball.All of a sudden regulation comes along and lifts up the rock and shines a bright light underneath it and reveals the superating horrors squirming underneath!Too many people have too much access to too much data almost certainly meaning a failed regulatory audit.All of a sudden you have the impetus and support to fix a load of old problems and simplify the way your systems work. Do this well and not only will you pass regulatory inspection but you will also demonstrate the art of the possible, how good things could be if the prime focus was delivering something maintainable, scalable, flexible.[/quote]+1000I just went through a post where the OP (a DBA) was feeling a bit hog-tied because the company required even him to do "change controls" for most things. I told him to revel in the process and that they hopefully have a ticketing system where he can enter what he does. It's a rare opportunity for his chain of command to actually find out what the hell a DBA does all day and to be able to "brag" about it without seeming like a "brown noser".For those of you reeling from the idea, it takes only a minute or two to open a ticket, get permission to proceed, and close the ticket leaving a trail of undisolvable breadcrumbs that will come in mighty handy at review time. ;-)

RE: Regulators, Mount Up

TravisDBA — Wed, 28 Nov 2012 16:16:04 GMT

[quote][b]John Hanrahan (11/28/2012)[/b][hr:-D]I have been through several SOX audits and have never heard of that. I would have have said stick it, see the job description says "and other duties as requir:-Ded" which I think is in every single job description I have seen for years. The whole point of SOX is to document what you do and how you do it an:-DWwwd make sure everyone knows (including shareholders and regulators). It has always seemed overblown to me. Next they'll say you can't get up to get water to quench your thirst because you have to operate the water fountain.[/quote]Have you ever worked for the government lately?

RE: Regulators, Mount Up

Michael Valentine Jones — Wed, 28 Nov 2012 15:36:03 GMT

[quote][b]TravisDBA (11/28/2012)[/b][hr]It's not just unencrypted data that auditors ding you on nowadays. Wearing many hats at once and doing things outside your job description can definitely get you dinged as well. SarBox standards are very picky on this nowadays..For example, we had an IT guy once caught moving furniture around in his cube and the auditors jumped all over that with managment and the man was reprimanded over it. Not in his job description, don't do it again. If you are a little shop you can still get away with a "Jack-of-all-trades" guy (I don't know for how long though), but that is no longer permitted at most larger shops or government agencies that fall under the strict auditing standards of today. Heck, the auditors dinged us for having our production clusters on the second node, left there after a failover!!!!! Picky, picky...:-D[/quote]My impression is that most "auditors" have no idea what they are doing, and just make things up like "no moving furniture if it isn't in your job description".

RE: Regulators, Mount Up

John Hanrahan — Wed, 28 Nov 2012 15:20:54 GMT

I have been through several SOX audits and have never heard of that. I would have have said stick it, see the job description says "and other duties as required" which I think is in every single job description I have seen for years. The whole point of SOX is to document what you do and how you do it and make sure everyone knows (including shareholders and regulators). It has always seemed overblown to me. Next they'll say you can't get up to get water to quench your thirst because you have to operate the water fountain.

RE: Regulators, Mount Up

TravisDBA — Wed, 28 Nov 2012 10:54:03 GMT

It's not just unencrypted data that auditors ding you on nowadays. Wearing many hats at once and doing things outside your job description can definitely get you dinged as well. SarBox standards are very picky on this nowadays..For example, we had an IT guy once caught moving furniture around in his cube and the auditors jumped all over that with managment and the man was reprimanded over it. Not in his job description, don't do it again. If you are a little shop you can still get away with a "Jack-of-all-trades" guy (I don't know for how long though), but that is no longer permitted at most larger shops or government agencies that fall under the strict auditing standards of today. Heck, the auditors dinged us for having our production clusters on the second node, left there after a failover!!!!! Picky, picky...:-D

RE: Regulators, Mount Up

Steve Jones - SSC Editor — Wed, 28 Nov 2012 09:55:31 GMT

One note on encryption. I heard a discussion from some devs and architects that were under the impression that encryption would prevent sql injection issues. Not likely to happen, so be sure that good coding practices are still being followed.

RE: Regulators, Mount Up

David.Poole — Wed, 28 Nov 2012 09:17:19 GMT

Its amazing what happens if you wave the possiblity of nuking old dead systems in front of a DBA. Their wrinkles vanish, an unfamiliar expression (happy smile) crosses there face and they hit keys faster than a teenager in a Halo death match.I suspect I may have started something here!

RE: Regulators, Mount Up

Big Slim — Wed, 28 Nov 2012 08:46:59 GMT

So, the topic of data encryption comes up every day in my daily duties. More so than earlier in my travels when folks were oblivious to what was stored in the data layer nor cared about how it was stored, just who and what systems had access to "the data". I'm now delighted to hear business units actively address secure data access AND encrypted data. One of the most surprising dialogs was between a VP of Marketing (whose interest was in mining customer data), a 3rd party resource (who was designing the middleware) and architects actually PLANNING to improve the data hardware to compensate for overhead need to encrypt data as well as designating what data elements needed to be encrypted.How does this help me as the DBA in these instances? It's a excellent step towards insuring that whatever measures we take to secure the data are understood and done with a suitable level of transparency that everyone in the project is comfortable with and that's a good thing.I'm only saying this to say that increased awareness and implementation of encryption, albeit a bit more work, is an excellent topic well worth the resources spent.By the by, kudos for the song references. Still don't think this album got the recognition it deserves may throw it on the playlist-of-the-day just because...

RE: Regulators, Mount Up

jfogel — Wed, 28 Nov 2012 08:25:26 GMT

What is it exactly that has anyone thinking I don't care about data security? I quoted a line from the song that made up the title of the editorial and nothing more. Next I guess it will be that not only could I care less about security I kick puppies and steal from the elderly.

RE: Regulators, Mount Up

patrickmcginnis59 — Wed, 28 Nov 2012 08:02:25 GMT

[quote][b]jcrawf02 (11/28/2012)[/b][hr]Then I suggest you find alternate employment. This is a big deal to people whose data you handle.[/quote] I can enthusicastically agree with jcrawf02 here on these concerns. I've had my data exposed by people who really didn't care that much and I don't like it one bit. I'm sure accidents happen, mistakes are made, but any emphasis toward security here made by anybody gets my vote.Security should be part of anybody's job who work in information technology, and not relegated to a few select specialties. I've heard all too many times that securing this or that is "not my job."

RE: Regulators, Mount Up

jfogel — Wed, 28 Nov 2012 06:38:44 GMT

Yes, its "my bad music" because I chose the title to the article. You aren't doing well this morning on this one so I suggest you let it go.

RE: Regulators, Mount Up

jcrawf02 — Wed, 28 Nov 2012 06:32:08 GMT

[quote][b]jfogel (11/28/2012)[/b][hr]Hey dummy, look it up. Its part of the song.[/quote]I apologize for taking your statement as a statement, rather than being hip to your bad music. Carry on.

RE: Regulators, Mount Up

jfogel — Wed, 28 Nov 2012 06:27:05 GMT

Hey dummy, look it up. Its part of the song.

RE: Regulators, Mount Up

jcrawf02 — Wed, 28 Nov 2012 06:10:56 GMT

[quote][b]jfogel (11/28/2012)[/b][hr]If you know like I know you don't wanna step to this.[/quote]Then I suggest you find alternate employment. This is a big deal to people whose data you handle.Steve, thank you for spelling HIPAA correctly, four times no less! (it's the little things) Some people can't even get it right on their resumes...

RE: Regulators, Mount Up

jfogel — Wed, 28 Nov 2012 05:26:33 GMT

If you know like I know you don't wanna step to this.

RE: Regulators, Mount Up

call.copse — Wed, 28 Nov 2012 02:14:43 GMT

@David: Wow, nice inspiring post on what I thought was a fairly turgid topic. I feel more motivated to get on with my day's battle against the systems already. I guess you are saying to look for the opportunity in everything - and you know what, you're right, otherwise this job ends up just being a pile of crud.

RE: Regulators, Mount Up

David.Poole — Wed, 28 Nov 2012 01:27:17 GMT

Regulation is a cloud that can have a bright silver lining.Lets suppose that you have old systems ridden with tech debt and propped up by manual processes.Those powers that be are so used to the situation that the idea that the tech debt or the manual processes are a problem just doesn't register. They are chasing the new shiny ball.All of a sudden regulation comes along and lifts up the rock and shines a bright light underneath it and reveals the superating horrors squirming underneath!Too many people have too much access to too much data almost certainly meaning a failed regulatory audit.All of a sudden you have the impetus and support to fix a load of old problems and simplify the way your systems work. Do this well and not only will you pass regulatory inspection but you will also demonstrate the art of the possible, how good things could be if the prime focus was delivering something maintainable, scalable, flexible.

Regulators, Mount Up

Steve Jones - SSC Editor — Wed, 28 Nov 2012 01:15:05 GMT

Comments posted to this topic are about the item [B]Regulators, Mount Up[/B]