Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 123»»»

Secure Storage Expand / Collapse
Author
Message
Posted Tuesday, April 28, 2009 10:59 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 12:34 PM
Points: 31,181, Visits: 15,626
Comments posted to this topic are about the item Secure Storage






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #706472
Posted Tuesday, April 28, 2009 11:20 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Tuesday, August 2, 2011 8:13 AM
Points: 19, Visits: 146
I believe the guidance is to store the key export and the password in different locations and to store both on site and off site.

How about storing the export in VARBINARY(MAX) in TDE encrypted database that has only DBA access? and then store the password in an an encrypted column, perhaps on a another SQL Instance. This would be relatively easy to automate.

This is how I had planned to implement key backup automation in SQLClue. The TDE database is easy to implement (in fact I saw an email from Connect telling me some bothersome 'nuances' of TDE are fixed in 10.5)

Finally, since many shops run two+ data centers, they could peer to peer replicate between data centers on an SSL or Server self-Certificate encrypted wire. But even without the replication, the backups of the TDE database and the encrypted column could go off site in the normal tape rotation to satisfy the requirement.

A little work to set up - not bad - but should be painless once running.


Bill Wunder
Post #706477
Posted Wednesday, April 29, 2009 6:20 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Thursday, April 10, 2014 6:27 AM
Points: 18, Visits: 280
For me to memorize password, keys or anything important is next to impossible, for I am dyslexic, which also grants me the ability to process and handle algorithm fast than normal. So for me it’s about an algorithm that forms the key (or password). In my home network all passwords are something like
{Computer Name}’s {common word} #{(Month + 5) mod 12}
and are changed monthly automatically. This allow long and hard to break passwords and keys can be generated in the same fashion, But then keeping the algorithm a secret is the problem. So this is more of a method for compressing keys and passwords.
Post #706714
Posted Wednesday, April 29, 2009 7:07 AM
Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: 2 days ago @ 11:42 AM
Points: 755, Visits: 1,927
alas, real security is a pain in the rump.

One possible solution is to store the keylist history in an encrypted file, with that key only available to the few (never ONE) adminstrative individuals necessary.

The encrypted key list should be kept both on and offsite

I would not recommend a shared (partial) key system, in a disaster situation all the principals may not be available.


...

-- FORTRAN manual for Xerox Computers --
Post #706770
Posted Wednesday, April 29, 2009 8:47 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Thursday, April 17, 2014 2:45 PM
Points: 24, Visits: 81
My company has created an in-house application that we use to manage passwords, keys and access to them.
all data is stored in SQL tables and is encrypted by the application.
The application records all actions taken including creation, deletion, editing, access, granting access, etc to an encrypted table in the database so it cannot be changed outside the application.
This is working very well for us.

Post #706904
Posted Wednesday, April 29, 2009 9:19 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Friday, June 27, 2014 12:43 PM
Points: 13,872, Visits: 9,596
There is no perfect solution. Either the data is completely secure, and can easily become unretrievable, or it's just barely secure, and easy to recover, or somewhere in between.

Since the compromise depends on a lot of subjective factors, I can't even offer good advice on that.

Personally, for my own secure data, I have a pattern of passwords/keys that I use. They are strong passwords, but I only rarely change them. Studies by the NSA and various universities and such have actually shown that routinely changing passwords causes a net reduction in security over time, because of the very factors you're dealing with here. The "change your password every X days" rules create the illusion of security while reducing its actuality.


- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #706932
Posted Wednesday, April 29, 2009 9:47 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Yesterday @ 12:04 PM
Points: 266, Visits: 2,601
GSquared: Thanks so much for your comment. One of the things I can't stand is the password rotation requirements at my agency and agencies we have to deal with. I copied your comment to my boss. She agreed to try to find those studies and at least research the issue. Thanks!
Post #706977
Posted Wednesday, April 29, 2009 9:51 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 12:34 PM
Points: 31,181, Visits: 15,626
We've used Password Safe to store the passwords, and the current password isn't a big deal. It's the rotation of passwords that gets confusing. I suppose you could just add a date to the name and keep all passwords there, but depending on how often you change passwords, that can be an issue.

We had an issue changing the password for Password Safe. We rarely did so since we didn't want to get caught later having an old database for which we didn't have the password.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #706985
Posted Wednesday, April 29, 2009 10:53 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Tuesday, October 14, 2014 10:58 AM
Points: 5,333, Visits: 25,272
Speaking of security here is some news posted on the BBC web site that might help in storing passwords and encryption keys and yet have the same readily available in case of need
http://news.bbc.co.uk/2/hi/technology/8024845.stm


If everything seems to be going well, you have obviously overlooked something.

Ron

Please help us, help you -before posting a question please read

Before posting a performance problem please read
Post #707058
Posted Wednesday, April 29, 2009 10:56 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Thursday, April 18, 2013 6:19 PM
Points: 2, Visits: 21
I think two part passwords work best. The first part of the password is specific to the task. The second part is common to all tasks and is rotated regularly. I only need to worry about remembering one new password each period.
Post #707060
« Prev Topic | Next Topic »

Add to briefcase 123»»»

Permissions Expand / Collapse