How to encrypt Credit Card numbers?
- BOR15K - Friday, September 8, 2017 10:17 AM
Is not a credit card industry standard for this?? And NEVER be so as to STUPID say "Before I will start Google.."; This just ended your care\er because anyone hires you, they will see this posting and know. Hackers now know to find the trace back to your posting address of your unprotected databases. It is always a bad, criminally bad, idea discuss security problems in a public forum.
Please post DDL and follow ANSI/ISO standards when asking for help.
-
NEVER be so as to STUPID say "Before I will start Google.."; This just ended your care\er because anyone hires you, they will see this posting and know.
Everyone uses Google. I USE GOOGLE, I USE GOOGLE, I USE GOOGLE. I'm sure the OP's career will be fine and so will mine Joe.
Hackers now know to find the trace back to your posting address of your unprotected databases.
<mission impossible music here>It is always a bad, criminally bad, idea discuss security problems in a public forum.
God help us all.
"I cant stress enough the importance of switching from a sequential files mindset to set-based thinking. After you make the switch, you can spend your time tuning and optimizing your queries instead of maintaining lengthy, poor-performing code."-- Itzik Ben-Gan 2001
-
I'll disagree on discussing potential solutions and issues. Security does not really depend on obscurity, but well know, practiced principles and then protecting specific implementations, like passwords, IPs, networking config, etc.
Google is a good way to learn, but for something like this, multiple people, including someone that has done the work, should sign off.
- Jack Corbett - Friday, September 8, 2017 12:38 PM
If TDE is in use then yes, people with direct access to the database can access the "encrypted" data. If always-encrpyted is in use then that is no longer the case and it remains secure. If the application handles the data encryption on the application tier the data remains vulnerable in the database and I can't believe that can be acceptable.
Or have I misunderstood something here?
- kevaburg - Monday, September 25, 2017 9:57 AM
I think you misunderstood. For always-encrypted you need SQL Server 2016, an always-encrypted enabled driver, and to configure the application to use the driver, so the data is encrypted and decrypted by the driver and not SQL Server. With column-level encryption the encryption and decryption takes place within the database or can, so anyone with correct permissions and knowledge can run a query to see encrypted data because all the keys and functions live in SQL Server. If I don't have access to SQL Server 2016 and this post is in a 2014 forum, I prefer to have the application encrypt the data before sending it to SQL Server and then have the application decrypt the data when it receives it back from SQL Server. Then you have to use the application and/or have access to the application code and keys in order to decrypt it, not just proper access to SQL Server. So the data is only vulnerable while displayed on the user's screen in the application or when they write it down or put it in Excel. It is stored encrypted.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question - Steve Jones - SSC Editor - Wednesday, September 20, 2017 10:58 AM
this is a very key point, you need to consider encryption of data at rest (inside your database) and data in transit (over the network) whether that be in transit over your LAN between the DB and application server, or between the application server and your end users, in this case external businesses.
Viewing 6 posts - 16 through 20 (of 20 total)
You must be logged in to reply to this topic. Login to reply