Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 1234»»»

A Fundamental Security Mistake Expand / Collapse
Author
Message
Posted Saturday, December 19, 2009 12:23 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 5:53 PM
Points: 33,063, Visits: 15,179
Comments posted to this topic are about the item A Fundamental Security Mistake






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #836838
Posted Sunday, December 20, 2009 2:39 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Wednesday, July 9, 2014 1:28 AM
Points: 2,105, Visits: 5,393
I’m not so sure that users will use the TDE on Express edition. Most of the time Express edition is not managed by a DBA. In fact in most of the time the Express edition is being installed by another software and many times the DBA is not even aware of those editions that are installed in his organization. The users that use those applications are not database professionals and wouldn’t know what TDE is and how to use it (in fact many times they also are not aware that SQL Server Express edition is used by their software). In short I think that if TDE will be supported on Express edition, it will hardly be used.

Adi


--------------------------------------------------------------
To know how to ask questions and increase the chances of getting asnwers:
http://www.sqlservercentral.com/articles/Best+Practices/61537/

For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/
Post #836861
Posted Monday, December 21, 2009 7:32 AM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: Friday, June 27, 2014 12:43 PM
Points: 15,444, Visits: 9,596
Adi Cohn-120898 (12/20/2009)
I’m not so sure that users will use the TDE on Express edition. Most of the time Express edition is not managed by a DBA. In fact in most of the time the Express edition is being installed by another software and many times the DBA is not even aware of those editions that are installed in his organization. The users that use those applications are not database professionals and wouldn’t know what TDE is and how to use it (in fact many times they also are not aware that SQL Server Express edition is used by their software). In short I think that if TDE will be supported on Express edition, it will hardly be used.

Adi


I have to disagree with the point of your post.

I agree with Steve that it should be available. As with all security (and almost all other features), use of it is up to the DBA, whether that's a pro DBA or someone who "knows computer stuff" and doesn't even know how to spell "DBA".

The attitude you're expressing is comparable to saying, "Why even have keys for cars? Some people just leave the key in and the doors unlocked, so why bother even making cars that use keys?"


- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #837179
Posted Monday, December 21, 2009 9:12 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Thursday, December 20, 2012 1:03 PM
Points: 265, Visits: 589
Encryption in general should be a default install at the OS level and apply to all files, not just to database files or express editions. Files like formatted reports, xls and csv dumps, sql scripts, and what not could all use such protections.
Post #837268
Posted Monday, December 21, 2009 9:17 AM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: Friday, June 27, 2014 12:43 PM
Points: 15,444, Visits: 9,596
sjsubscribe (12/21/2009)
Encryption in general should be a default install at the OS level and apply to all files, not just to database files or express editions. Files like formatted reports, xls and csv dumps, sql scripts, and what not could all use such protections.


I prefer that as an option, not a default. Could be default in a business setting, but would be a pain in the butt at home. I prefer to be able to recover files off my hard drives directly, especially since I build my own computers.


- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #837282
Posted Monday, December 21, 2009 9:23 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 5:53 PM
Points: 33,063, Visits: 15,179
I'd like to see it as the default for some files. Like SQL Server files. Adding this option to Express, AND making it the default, would make things more secure. That along with an annoying message about the certificates and a "copy to" dialog at the end of an install.

Same for Quicken files, and other types of high security items. Makes some sense to have them encrypted automatically.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #837293
Posted Monday, December 21, 2009 9:28 AM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: Friday, June 27, 2014 12:43 PM
Points: 15,444, Visits: 9,596
Steve Jones - Editor (12/21/2009)
I'd like to see it as the default for some files. Like SQL Server files. Adding this option to Express, AND making it the default, would make things more secure. That along with an annoying message about the certificates and a "copy to" dialog at the end of an install.

Same for Quicken files, and other types of high security items. Makes some sense to have them encrypted automatically.


Yes, but that would be managed by the applications, not by the OS. The OS might (or might not) provide the encryption, but it would be something called in the application.

Quicken could certainly encrypt the database and files. So could Outlook, if that's desired (probably should be, at least on laptops). And so on. But why would I want my mp3 files and video files and such encrypted? If the OS defaults that way, they would be. And there go my compression options, too.


- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #837302
Posted Monday, December 21, 2009 9:40 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 5:53 PM
Points: 33,063, Visits: 15,179
I agree with the OS. There might be times I want those things encrypted, like the podcasts. Need to protect them :), but not by default.






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #837325
Posted Monday, December 21, 2009 9:41 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Thursday, December 20, 2012 1:03 PM
Points: 265, Visits: 589
GSquared (12/21/2009)
sjsubscribe (12/21/2009)
Encryption in general should be a default install at the OS level and apply to all files, not just to database files or express editions. Files like formatted reports, xls and csv dumps, sql scripts, and what not could all use such protections.


I prefer that as an option, not a default. Could be default in a business setting, but would be a pain in the butt at home. I prefer to be able to recover files off my hard drives directly, especially since I build my own computers.


If you build your own computers, then the solution is for you to override the default encryption. All others get strong encryption by default. This is the trend anyway in thinking among all major operating systems.
Post #837327
Posted Monday, December 21, 2009 10:15 AM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: Friday, June 27, 2014 12:43 PM
Points: 15,444, Visits: 9,596
sjsubscribe (12/21/2009)
GSquared (12/21/2009)
sjsubscribe (12/21/2009)
Encryption in general should be a default install at the OS level and apply to all files, not just to database files or express editions. Files like formatted reports, xls and csv dumps, sql scripts, and what not could all use such protections.


I prefer that as an option, not a default. Could be default in a business setting, but would be a pain in the butt at home. I prefer to be able to recover files off my hard drives directly, especially since I build my own computers.


If you build your own computers, then the solution is for you to override the default encryption. All others get strong encryption by default. This is the trend anyway in thinking among all major operating systems.


And when I need to help a family member recover data from a crashed computer, it will be impossible.

Pictures from their last motorcycle vacation, gone. Downloaded music, gone. Etc.

Part of the whole purpose of security is balancing cost of protection vs cost of loss vs cost of exposure. Most people, most of the time, will have a higher cost of loss than cost of exposure, for the vast majority of their personal files.

Do you have steel bars, an alarm system, motion sensors, night-vision CCV cameras sending real-time video to a secure remote location, pressure pads, steel doors with 12-digit PIN mag locks, reinforced concrete walls with penetration-sensing mesh, and seismic records for detecting tunneling, for your garage? Those are all valid security systems that could be built into your home, but most people have locked doors and windows, and maybe an alarm system with a 4-digit PIN and a motion sensor in one or two rooms.

Why? Because the cost of protection would far outweigh the cost of exposure and loss.

At the same time, do you park your car downtown with the engine running and the doors unlocked? Or do you do like most people and turn it off, take the keys out, and lock the doors and leave the windows closed? Why? Because that level of cost of protection is far below the cost of exposure/loss.

You have to balance these things, or you're not actually doing security, you're just involved in some OCD neurosis about "must protect stuff".

You say it's okay for me to turn off the security on a computer I build for myself, but to force most people to have that same security. I say "force", because most won't know that it exists, much less how to make decisions about it. Why does that make sense?

Take a look at the most hated feature of Windows Vista, User Account Control (UAC). It forced most people to have a much higher level of security, at very low actual cost. That and lies from Apple, cost them a huge piece of the market (most businesses) and gave them a serious PR black eye.

Why? Because the perceived cost of protection was higher than the perceived cost of exposure. Microsoft didn't balance those correctly, and they got hurt for it. Rightly so.

So no, I don't buy the argument that, "it's okay for you to turn your security off if you happen to be a computer professional who knows how to do so, but let's put most people at higher exposure for loss without any real expectation of benefit".

If you disagree with that, lay out the expected benefit for encrypting personal computer files universally, and the expected loss resulting from that, and quantify the two measures, and prove that I'm wrong.


- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #837359
« Prev Topic | Next Topic »

Add to briefcase 1234»»»

Permissions Expand / Collapse