December 21, 2009 at 5:07 pm
TDE is transparent to the user. no configuration, nothing to worry about, doesn't affect APPs, so it would have no impact on the user having to figure things out. This is unlike encryption in SQL server, which is complex.
Matt brings up a good point in terms of the user logging on. But if you lose your laptop, it's not necessarily the person logging on, but someone accessing your NTFS drive without being logged on. That's the issue.
You could enable TDE and limit Windows access, which while a possible pain, would better protect data.
December 23, 2009 at 11:00 am
Sorry if I am being hard-headed in this case - but it would be a disservice not to mention this.
With Microsoft publishing tools like DaRT (Diagnostics and Recovery Toolset), please don't ever rely on a standalone PC's NTFS or security to secure your system. For what it's worth DaRT used to be called ERD commander in its previous iterations.
It takes two reboots and about 4 minutes to reset any password in the local hive. In other words - anything tied to windows security is wide open at that point. There are freeware packages that can do the same thing for much much less than DaRT.
Physical access to the PC and the local security hive is currently too much of a leg up to rely on the OS to help you secure anything. In this case - not being able to prevent someone who is a local admin from also becoming the SA in your database is the fundamental issue.
The only way your data is essentially secure in that scenario is if the database service itself and the SA cannot read or understand the data. Meaning, encrypted data being stored in the DB (which will be at a terrible price since no indexes will work etc....)
Perhaps when you add in certain encryption solutions like the PGP ones (allowing you to encrypt an entire drive, and requiring biometric access) you can make something secure enough. But the OS alone is not enough.
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
December 24, 2009 at 8:41 am
Matt, you are correct, but security is a series of hurdles. If you lose the laptop, there's an x% chance that someone will get the data if you have TDE and a strong password. However there's a 100% chance someone will get the data if you don't have any security.
Every hurdle, from decent Windows passwords, to TDE, would lower the percentage of people that could access the data, or even try. Not that you should rely on it, but having a few more tools to enhance security would be good.
December 24, 2009 at 10:57 am
Steve Jones - Editor (12/24/2009)
Matt, you are correct, but security is a series of hurdles. If you lose the laptop, there's an x% chance that someone will get the data if you have TDE and a strong password. However there's a 100% chance someone will get the data if you don't have any security.Every hurdle, from decent Windows passwords, to TDE, would lower the percentage of people that could access the data, or even try. Not that you should rely on it, but having a few more tools to enhance security would be good.
Understood, and I agree with you. I just wanted that little tidbit known so we don't set up a "false sense of security": those are usually when the big breaches happen.
This will discourage those casual thieves who are interested in the laptop more than its contents, so in that sense, it might help prevent an escalation of the theft. It might be just enough to encourage them to simply wipe the drive and move on (which in the greater scheme of things is possibly the best outcome for the original owner).
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
February 8, 2010 at 6:43 pm
I agree with Steve - this is a fundamental security error. It is crazy to push products without this capability.
It isn't a panacea, but that's no reason not to offer it - particularly if you have MS's reputation (whether deserved or not - if not, you shouldn't start trying to earn it) for failing to offer reasonable security.
Tom
November 3, 2014 at 12:14 am
Four years on and this idea has no traction? Did anyone ever set up a request on MS Connect?
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
November 3, 2014 at 6:06 am
Did anyone ever set up a request on MS Connect?
Like that does any good. :angry:
November 3, 2014 at 6:42 am
One area where Express is used a lot is in medical billing. While licensing forces such companies to use it internally, in the event of a breach, you suddenly have a hole in your security. The reason Express is used is because these companies tend to be small and running on tight budgets. Express is a means to squeeze every last ounce out of a Standard or Enterprise installation without having to pay full price for new instances. So, yes, there is a compelling reason to put it on Express. Until there's a major HIPAA violation, however, I don't think Microsoft will do anything about it. Why should they? It's free, and they want you to buy a more robust edition.
--- Remember, if you don't document your work, Apollo 13 doesn't come home.
November 3, 2014 at 7:05 am
I agree with thottle, a HIPAA violation will help change things.
November 3, 2014 at 8:11 am
chrisn-585491 (11/3/2014)
Did anyone ever set up a request on MS Connect?
Like that does any good. :angry:
Fair point. :crying:
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
November 3, 2014 at 10:08 am
Iwas Bornready (11/3/2014)
I agree with thottle, a HIPAA violation will help change things.
Born - If there were a HIPAA violation, it would not be a Microsoft problem. Microsoft offers tools that can and will do the job at a price. The issue would be in this case that the company who was hosting the database did not due the due diligence and decide on a HIPAA compliant database.
The deciding and hosting company would be culpable not Microsoft.
That said, Microsoft has had 5-6 years to profit from the sales of versions that have TDE included and it has paid for itself. TDE should be included as part of the free package going forward. All IMHO.
M.
Not all gray hairs are Dinosaurs!
November 4, 2014 at 7:38 am
Is it just Express Edition; I thought it was only Enterprise Edition that suppots TDE, and all other editions (Standard, BI, Express, etc.) do not support it. You can still implement data at rest encryption using Windows Encrypted File System and NTFS permissions. Also, symmetric key based column encryption is still available, which is what provides end user level data security.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
November 4, 2014 at 7:44 am
Born - If there were a HIPAA violation, it would not be a Microsoft problem. Microsoft offers tools that can and will do the job at a price. The issue would be in this case that the company who was hosting the database did not due the due diligence and decide on a HIPAA compliant database.
True, there would not be a legal requirement for Microsoft to do it. The same might go for a SOX violation. However, a company looking to cover its mistakes can make enough noise to embarrass Microsoft, which is something consumers had a hard time doing, at least in the Ballmer era. Nadella seems more responsive to public perception. (Not perfect, mind you, but better than Ballmer.)
--- Remember, if you don't document your work, Apollo 13 doesn't come home.
November 10, 2014 at 5:35 am
IMO, it would be a waste of disk space in the installation to have TDE available on Express. I would be surprised if more than a handful of people outside of experienced SQL developers/DBAs using Express would understand what TDE is nor want it turned on if they did. The proliferation of data in Excel is a much larger issue than data stored in SQL anyway when it comes to desktops/laptops/tablets....
November 10, 2014 at 6:24 am
Craig.Carpenter (11/10/2014)
IMO, it would be a waste of disk space in the installation to have TDE available on Express. I would be surprised if more than a handful of people outside of experienced SQL developers/DBAs using Express would understand what TDE is nor want it turned on if they did. The proliferation of data in Excel is a much larger issue than data stored in SQL anyway when it comes to desktops/laptops/tablets....
It would be another differentiator between Excel and SQL Server. Also, I think that many Express installs are part of a product which possibly significantly alters the percentage of installs likely to have professional developers and DBAs involved.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
Viewing 15 posts - 31 through 45 (of 49 total)
You must be logged in to reply to this topic. Login to reply