Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


It's Time for Encryption


It's Time for Encryption

Author
Message
Andy Warren
Andy Warren
SSCertifiable
SSCertifiable (7.9K reputation)SSCertifiable (7.9K reputation)SSCertifiable (7.9K reputation)SSCertifiable (7.9K reputation)SSCertifiable (7.9K reputation)SSCertifiable (7.9K reputation)SSCertifiable (7.9K reputation)SSCertifiable (7.9K reputation)

Group: Moderators
Points: 7932 Visits: 2707
Comments posted to this topic are about the item It's Time for Encryption

Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter
Jody.WP
Jody.WP
SSC Rookie
SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)

Group: General Forum Members
Points: 31 Visits: 614
I agree , these days with the rise in white collar crime all data should be treated as sensitive.
blandry
blandry
Old Hand
Old Hand (365 reputation)Old Hand (365 reputation)Old Hand (365 reputation)Old Hand (365 reputation)Old Hand (365 reputation)Old Hand (365 reputation)Old Hand (365 reputation)Old Hand (365 reputation)

Group: General Forum Members
Points: 365 Visits: 723
Imagine a database of valued recipes. The company that keeps this database does not want you to know what ingredients go into their product. They also do not want you to know the cooking steps to make the given recipes. I can understand that in a case such as this hypothetical, those columns must be encrypted.

Now imagine a customer calling up and asking if the company makes a certain product, but some knucklehead encrypted the product column and the customer service person has to respond that they need 15 minutes to locate the DBA, decrypt that column, and then lookup whether or not they make the product.

On the one hand, you have an intelligent use of encryption of sensitive database columns. On the other hand, you have a DBA who has made a simple customer request a major project, cost the company time, money, and likely the customer is not going to hang around waiting.

This is the scenario I have faced many times in my career - DBAs who think everything under the Sun should be encrypted without thinking about the consequences and costs in time and effort to the company.

The answer? I would not agree that everything should be encrypted. I think the use of encryption, like many database features, has to be thought out beyond the mind of just the DBA. Indeed, the DBA is the last person to make this decision because usually, they are the people who do the least consuming of the database information. Leave this matter to Customer Service, Management, and the Customers - serve them!!! Not the DBAs often myopic idea of what amounts to sensitive data.

There's no such thing as dumb questions, only poorly thought-out answers...
bwillsie-842793
bwillsie-842793
SSC-Enthusiastic
SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)

Group: General Forum Members
Points: 117 Visits: 290
Everything definitely should NOT be encrypted. The US military learned long ago that "overprotecting" classified material was as bad as no protection.

The reason? Human nature.

When all material had to be handled as "Top Secret", including information that is unimportant or irrelevant, people tend to assume that none of the material is really that important.

Encrypt everything and you will begin to see encryption keys written down on post-it notes hanging off monitors.

Also, there is the issue of cost in both time and money.

It may be easiest for a DBA if everything is encrypted, but that doesn't mean it is best for the organization.
GabyYYZ
GabyYYZ
Say Hey Kid
Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)

Group: General Forum Members
Points: 699 Visits: 2332
For those worried about the loss of keys, do what we do in our company.

Any new or changed encryption key is always in two parts. The security team typically enters one half and the DBA's enter the second half. Neither of us know the other's password. Plus, we have our half of the key written down and locked in the CIO's safe and so do the security folks.

Back up your keys and you should be good to go.

Gaby
________________________________________________________________
"In theory, theory and practice are the same. In practice, they are not."
- Albert Einstein

Jody.WP
Jody.WP
SSC Rookie
SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)

Group: General Forum Members
Points: 31 Visits: 614
It depends on how incryption is setup and managed
randy.c
randy.c
Forum Newbie
Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)

Group: General Forum Members
Points: 1 Visits: 7
I would certainly try TDE -- if only it were available on SQL 2008 Standard. Any experts with recommendations on alterntives to TDE for the rest of us who don't have SQL 2008 Enterprise?
Mad Hacker
Mad Hacker
Right there with Babe
Right there with Babe (748 reputation)Right there with Babe (748 reputation)Right there with Babe (748 reputation)Right there with Babe (748 reputation)Right there with Babe (748 reputation)Right there with Babe (748 reputation)Right there with Babe (748 reputation)Right there with Babe (748 reputation)

Group: General Forum Members
Points: 748 Visits: 414
While reaing this article I was reminded of an old episode of 60 Minutes on CBS where they were interviewing a professional car thief. When the thief was asked by the interviewer how he could avoid getting his fancy car stolen, he replied "don't buy it" and further stated that all he had to do to steal the vehicle was use a fork lift to set it on the back of a flatbed truck and drive off.

Even with all of the data protection tools available in today's world, if someone wants the data bad enough and they are persistent, in many cases they will find a creative way to obtain it.



Jody.WP
Jody.WP
SSC Rookie
SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)

Group: General Forum Members
Points: 31 Visits: 614
Agreed but as DBA's we also have to think like them (thieves) and make do with the tools we have
GabyYYZ
GabyYYZ
Say Hey Kid
Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)Say Hey Kid (699 reputation)

Group: General Forum Members
Points: 699 Visits: 2332
Mad Hacker (11/3/2009)
While reaing this article I was reminded of an old episode of 60 Minutes on CBS where they were interviewing a professional car thief. When the thief was asked by the interviewer how he could avoid getting his fancy car stolen, he replied "don't buy it" and further stated that all he had to do to steal the vehicle was use a fork lift to set it on the back of a flatbed truck and drive off.

Even with all of the data protection tools available in today's world, if someone wants the data bad enough and they are persistent, in many cases they will find a creative way to obtain it.

But to carry the analogy further, imagine an encrypted database is a car where the doors, hood, and trunk are all welded shut and the undercarriage is covered by a large metal plate also welded on. Decryption is the "magic" that can cleanly remove the weld, but it makes the luxury car pretty useless for the thief if he has to destroy it to open it.

Gaby
________________________________________________________________
"In theory, theory and practice are the same. In practice, they are not."
- Albert Einstein

Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search