Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
Log in  ::  Register  ::  Not logged in

You Need Encryption

There are lots of rules and regulations for security that companies enact. There are even more that are pushed on us from various groups, such as the PCI and HIPAA certifications. There are plenty of data professionals that find these rules to be burdens to just getting work done, and circumvent them. This is also the advice that I've heard given to non-technical people as well that ask questions of their friends.

It's hard to tell, but it appears that a lack of adherence to security rules was the reason that many Subway franchises were hacked and credit card data stolen. The franchises installed a remote desktop software, likely to make it easy for them to access records from home, and hackers managed to scan these systems, guess passwords, and install their own trojan programs.

Subway ditacted the use of point to point encryption, but the franchises refused to implement it. I'm not sure why this was allowed, and how this isn't required for PCI certification. Apparently there are still loopholes in the PCI regulations. While requiring more compliance isn't ideal, it wouldn't be necessary if so many people didn't value convenience above security.

You don't need to encrypt every communication with your SQL Server on your internal networks, but is something that you ought to consider for any external communications. Adding certificates to your servers, configuring encryption on the network, and talking IPSec with the network staff can be intimidating, but it's not that hard. It doesn't provide perfect security, but it definitely adds a layer of protection to your systems.

The basics also apply here. Limit remote access, patch your software, and above all, don't allow any default, or extremely easy passwords. There are plenty of tricks for creating and remembering strong passwords. Give some of those to your clients, and give them some good examples of places where weak passwords failed, like this Subway example, or the construction company that lost $240,000.

And encourage them to learn to type better. The easier it is to enter a 24 character password phrase, the more likely they are to adopt one.

Steve Jones

Happy Holiday!

Total article views: 196 | Views in the last 30 days: 3
Related Articles

Encryption, Certificate

Encryption, Certificate management in database



Storing passwords securely


Password Encryption in SQl SERVER 2005

Password Encryption in SQl SERVER 2005


Creating certificates



SQL 2005 Symmetric Encryption

One of the more interesting new features with SQL Server 2005 is the native encryption built into th...

database weekly    

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones