Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

You Need Encryption

There are lots of rules and regulations for security that companies enact. There are even more that are pushed on us from various groups, such as the PCI and HIPAA certifications. There are plenty of data professionals that find these rules to be burdens to just getting work done, and circumvent them. This is also the advice that I've heard given to non-technical people as well that ask questions of their friends.

It's hard to tell, but it appears that a lack of adherence to security rules was the reason that many Subway franchises were hacked and credit card data stolen. The franchises installed a remote desktop software, likely to make it easy for them to access records from home, and hackers managed to scan these systems, guess passwords, and install their own trojan programs.

Subway ditacted the use of point to point encryption, but the franchises refused to implement it. I'm not sure why this was allowed, and how this isn't required for PCI certification. Apparently there are still loopholes in the PCI regulations. While requiring more compliance isn't ideal, it wouldn't be necessary if so many people didn't value convenience above security.

You don't need to encrypt every communication with your SQL Server on your internal networks, but is something that you ought to consider for any external communications. Adding certificates to your servers, configuring encryption on the network, and talking IPSec with the network staff can be intimidating, but it's not that hard. It doesn't provide perfect security, but it definitely adds a layer of protection to your systems.

The basics also apply here. Limit remote access, patch your software, and above all, don't allow any default, or extremely easy passwords. There are plenty of tricks for creating and remembering strong passwords. Give some of those to your clients, and give them some good examples of places where weak passwords failed, like this Subway example, or the construction company that lost $240,000.

And encourage them to learn to type better. The easier it is to enter a 24 character password phrase, the more likely they are to adopt one.

Steve Jones

Happy Holiday!

 
Total article views: 196 | Views in the last 30 days: 1
 
Related Articles
FORUM

Encryption, Certificate

Encryption, Certificate management in database

ARTICLE

SMKs, DMKs, Certificates for TDE and Encrypted Backups

This article details SMKs, DMKs and certificates in SQL Server as they relate to Transparent Data En...

FORUM

Passwords

Storing passwords securely

FORUM

Password Encryption in SQl SERVER 2005

Password Encryption in SQl SERVER 2005

FORUM

Creating certificates

Encryption

Tags
database weekly    
editorial    
 
Contribute