SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Encrypt Everything


Encrypt Everything

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)

Group: Administrators
Points: 62214 Visits: 19102
Comments posted to this topic are about the item Encrypt Everything

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Jeff Moden
Jeff Moden
SSC Guru
SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)

Group: General Forum Members
Points: 85605 Visits: 41082
I absolutely agree with the concept of encrypting everything in transit but...

Why does it seem that it always comes back to this recent bloody NSA thing? Where the hell have people been? It's not likely that organizations like the NSA are going to do anything with your data that would actually cause harm to the company (well, unless the company is doing something illegal). What people SHOULD be concerned about is ANYONE getting their data and if they're just now coming around to that fact, then they're several decades behind what should have been on their agenda all along.

As a bit of a sidebar, this is yet another reason why I prefer local physical hardware as opposed to using cloud services.

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
Yet Another DBA
Yet Another DBA
SSC-Addicted
SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)

Group: General Forum Members
Points: 485 Visits: 1234
To many applications still have SA rights with an easily guessed password. So encryption doesnt really help much other than the backup files now needing a certificate for the restore. These same companies still dont believe in encrypting data like bank account information, personal/customer personal data. Just waiting for the UK media to have afield day.

I have worked in too many places where the IT staff let alone the Business believe that an NDA will be adequate in protecting all of their data.
Yet Another DBA
Yet Another DBA
SSC-Addicted
SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)SSC-Addicted (485 reputation)

Group: General Forum Members
Points: 485 Visits: 1234
Jeff Moden (12/14/2013) ......
As a bit of a sidebar, this is yet another reason why I prefer local physical hardware as opposed to using cloud services.


A bit tongue in cheek: Why would any one at a cloud provider want to look at your data.

More seriously though, at least you can do a proper audit with local storage.
chrisn-585491
chrisn-585491
SSCommitted
SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)

Group: General Forum Members
Points: 1928 Visits: 2436
If business managers invested in security and training, we would have security and training. Until then, they are enjoy their bonuses and wondering what us nerds and geeks are worried about.
djackson 22568
djackson 22568
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1276 Visits: 1216
I think it is fair to point out that Microsoft just stated they will start encrypting, Google just stated they would a couple weeks ago. All of the major players knew this was an issue years ago, and ignored the risk.

Our organization is starting to require SSL on all web traffic, whether internal or external. It will take a couple years to get there, but in the end it will be an improvement. Thick client apps are not in scope for this change.

The media and the government continuously talk about how the biggest threat is internal, but I disagree. Our own government is arguably the worst as they are violating our own constitution! This is followed by intrusion attempts from china and other countries, and I believe individual attacks from external resources are next. Employee threats exist, but if you count the group of employees who are foreign nationals in the "country" group, I think that threat is relatively small.

My point - encrypt everything external first, and worry about internal risks once that is somewhat taken care of. Those companies that can do both at the same time should consider it.

Dave
djackson 22568
djackson 22568
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1276 Visits: 1216
Jeff Moden (12/14/2013)
I absolutely agree with the concept of encrypting everything in transit but...

Why does it seem that it always comes back to this recent bloody NSA thing? Where the hell have people been? It's not likely that organizations like the NSA are going to do anything with your data that would actually cause harm to the company (well, unless the company is doing something illegal).


The NSA is a government agency. Government agencies answer to the president and congress. The current administration has used the IRS to attack the Tea Party, previous administrations on both sides have used the IRS and other agencies to attack their enemies.

Companies get attacked frequently because of the political opinions of the owners or management. I do not believe that it is at all a stretch to say that various administrations in the past, and certainly the future, have and will use anything they can to silence opposition. The NSA has ADMITTED it is using personal preferences such as sexual orientation, sexual habits and other data to attack the leaders of various organizations. How long before they use that information to attack CEOs? I would bet it is already happening.

I respect your opinion on this, and I would hope you are correct that the likelihood is low, but recent evidence indicates you may not be.

Dave
Steve Jones
Steve Jones
SSC Guru
SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)

Group: Administrators
Points: 62214 Visits: 19102
Yet Another DBA (12/16/2013)

A bit tongue in cheek: Why would any one at a cloud provider want to look at your data.


It's not anyone, but a particular person. If I suspect you are storing credit cards, or I want to know your sales data, and it's valuable enough, trying to get an employee to siphon off or look at data (for $$) is a valid way of criminally attacking your data.

Or perhaps I see if the cloud company really separates out VLANs or do they have shared LANs I can sniff?

Encryption certainly slows things down.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Steve Jones
Steve Jones
SSC Guru
SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)

Group: Administrators
Points: 62214 Visits: 19102
djackson 22568 (12/16/2013)


Companies get attacked frequently because of the political opinions of the owners or management. I do not believe that it is at all a stretch to say that various administrations in the past, and certainly the future, have and will use anything they can to silence opposition. The NSA has ADMITTED it is using personal preferences such as sexual orientation, sexual habits and other data to attack the leaders of various organizations. How long before they use that information to attack CEOs? I would bet it is already happening.

I respect your opinion on this, and I would hope you are correct that the likelihood is low, but recent evidence indicates you may not be.


I'm not sure I am quite as concerned here as Mr. Jackson, but I also do think that information gets leaked. CEOs are friends, or potential employers, of people working at the NSA. They (NSA or government employees) might be willing to share confidential information that gets them a job, bonus, etc. I don't think it's some global conspiracy or consistent set of actions that occurs constantly, but I do think it can happen. It's human nature.

However, I agree with Jeff that it's not something that just started. This type of espionage has been happening with corporations, foreign governments, and likely our own, for a long time.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Ralph Hightower
Ralph Hightower
Mr or Mrs. 500
Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)

Group: General Forum Members
Points: 535 Visits: 1111
Pick on South Carolina. The South Carolina Department of Revenue didn't encrypt the Social Security Numbers of taxpayers who filed electronic tax returns. Whoops! Now hackers have 6 million Social Security Numbers when they hacked into the computer systems.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search