May 31, 2011 at 9:10 am
Victor Kirkpatrick (5/31/2011)
Had to bone up on TDE to get this one... which btw, is exactly what Steve is looking for in the QOD anyway, right? Good question. Learned a few things from this one, which is the point, right or wrong on the answer.
That's exactly correct. Glad it helped.
May 31, 2011 at 9:18 am
I think the question was great..
However, on the topic of TDE I rarely recommend it. It really only helps data-at-rest and doesn't provide any protection when the database is "live" and queryable. In addition to that, in most databases there are usually not that many fields that readily SHOULD be encrypted so why should I incur the expense of encryption/decryption of all the remaining data? Now I realize that is a generalization and doesn't cover ALL use cases, but my experience with heavily protected/regulated data in both public and private sectors gives me that point of view. My usual recommendation is encrypt the specific fields that need it and leave the other fields in the clear. Both cases have the data encrypted on disk and in the backups. Where they are different is that if you encrypt just the fields the data is also protected when the database is "live".
CEWII
May 31, 2011 at 9:46 am
Fair points, Elliot and it's one of the reasons I'm annoyed that TDE isn't in other editions. This is great for protecting the data at rest for situations where it moves, like laptops. It provides some level of physical protection.
It also causes the backups to be encrypted, which is a good point if you are not using a third party tool. Many companies send their backups offsite with a service, and TDE does help ensure those backups are not tampered with.
May 31, 2011 at 3:27 pm
Nice question, thanks!
March 16, 2012 at 2:30 pm
That's an interesting question on encryption. Easy one to miss the correct answers.
Reference (Read towards end of page): http://msdn.microsoft.com/en-us/library/bb934049.aspx
Thanks.
March 16, 2012 at 4:03 pm
Steve Jones - SSC Editor (5/31/2011)
Fair points, Elliot and it's one of the reasons I'm annoyed that TDE isn't in other editions. This is great for protecting the data at rest for situations where it moves, like laptops. It provides some level of physical protection.It also causes the backups to be encrypted, which is a good point if you are not using a third party tool. Many companies send their backups offsite with a service, and TDE does help ensure those backups are not tampered with.
I think I missed this response first time around..
I'm basically saying don't use it.. Regardless of edition.. For laptops, I would generally take the position that you should be using whole disk encryption for all company laptops. I worked for a GINORMOUS bank that did this for EVERY laptop and desktop, the only thing that didn't get it was servers.
In the cases of backups going off-site the data was encrypted at the point it was moved to tape. YMMV..
As for the post today, I'm not sure what exactly the guy was pointing at..
CEWII
March 17, 2012 at 11:50 am
I'd agree on whole disk encryption. Doesn't make a lot of sense to not use that, but the backup argument seems pretty good to me, especially because backups aren't just moving to tape for storage. Lots of them floating around for restores to QA/Dev
March 17, 2012 at 12:13 pm
At that bank I was talking about the developers didn't have access to the production backups.
I think we'll just have to agree to disagree.
CEWII
March 17, 2012 at 1:51 pm
Elliott Whitlow (3/17/2012)
I think we'll just have to agree to disagree.CEWII
I think so. I wasn't trying to specifically say this is 100% of the way to do things. Individual DBAs have to make a judgment call about TDE, but if it offers protection outside of whole disk encryption for backups, it's worth looking at.
Viewing 9 posts - 16 through 23 (of 23 total)
You must be logged in to reply to this topic. Login to reply