November 10, 2014 at 7:54 am
If someone maintains something like financial or protected health information on their PC, then it's best to use a whole disk encryption solution like Microsoft BitLocker, PGP, or DiskCryptor (free and open source). Aside from the database, there are also things like emails and Excel sheets that contain traces of confidential information.
If a theif steals your laptop and sees you have a database file called financials.mdf or billing.mdf, or if they can tell from your email corresponsence that you work in the financial department of an organziation, then they may put some effort into cracking the database files. However, if the PC can't even be booted, then they'll just wipe it down or sell it on the street for scrap.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
November 10, 2014 at 10:05 am
Eric M Russell (11/10/2014)
If someone maintains something like financial or protected health information on their PC, then it's best to use a whole disk encryption solution like Microsoft BitLocker, PGP, or DiskCryptor (free and open source). Aside from the database, there are also things like emails and Excel sheets that contain traces of confidential information.If a theif steals your laptop and sees you have a database file called financials.mdf or billing.mdf, or if they can tell from your email corresponsence that you work in the financial department of an organziation, then they may put some effort into cracking the database files. However, if the PC can't even be booted, then they'll just wipe it down or sell it on the street for scrap.
A good point, however, a company selling a product based (in part) on SQL Server Express should not want to rely on their client encrypting their disk.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
November 10, 2014 at 10:42 am
Gary Varga (11/10/2014)
Eric M Russell (11/10/2014)
If someone maintains something like financial or protected health information on their PC, then it's best to use a whole disk encryption solution like Microsoft BitLocker, PGP, or DiskCryptor (free and open source). Aside from the database, there are also things like emails and Excel sheets that contain traces of confidential information.If a theif steals your laptop and sees you have a database file called financials.mdf or billing.mdf, or if they can tell from your email corresponsence that you work in the financial department of an organziation, then they may put some effort into cracking the database files. However, if the PC can't even be booted, then they'll just wipe it down or sell it on the street for scrap.
A good point, however, a company selling a product based (in part) on SQL Server Express should not want to rely on their client encrypting their disk.
In the case of a ISV / client relationship, the client can choose whether to encrypt their disk or use Windows EFS to encrypt only the database file. It should be the client's perogative. With TDE, keys have to configured, which complicates setup and may end up causing the client to lose access to their own database. I wouldn't want to bear even partial responsibility for my client losing their encryption key.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
November 12, 2014 at 9:37 am
Gary Varga (11/10/2014)
A good point, however, a company selling a product based (in part) on SQL Server Express should not want to rely on their client encrypting their disk.
But if the issue is legal liability the vendor, Microsoft int his case would supply the tools and some advise and be on their way. To do more would be for them to potentially assume some liability for the actions of the client. In general this is something they avoid.
I agree with you that it would be nice if they were able to make the client encrypt, but Microsoft Legal would not let them do that.
M.
Not all gray hairs are Dinosaurs!
November 12, 2014 at 9:50 am
Miles Neale (11/12/2014)
Gary Varga (11/10/2014)
A good point, however, a company selling a product based (in part) on SQL Server Express should not want to rely on their client encrypting their disk.But if the issue is legal liability the vendor, Microsoft int his case would supply the tools and some advise and be on their way. To do more would be for them to potentially assume some liability for the actions of the client. In general this is something they avoid.
I agree with you that it would be nice if they were able to make the client encrypt, but Microsoft Legal would not let them do that.
M.
I agree that Microsoft is in the clear. They are whether they supply TDE or not. The vendor of the product that has an unencrypted SQL Server Express may attempt to push the responsibility onto the client e.g. by suggesting that the client could/should have used disk encryption tools. The client might be able to argue the the product that utilises SQL Server Express is inherently insecure and, given a scenario where the product's data would be know to be sensitive, the vendor is responsible and the product unfit for purpose.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
Viewing 5 posts - 46 through 49 (of 49 total)
You must be logged in to reply to this topic. Login to reply