Locking Your Disk

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 717951

    Comments posted to this topic are about the item Locking Your Disk

  • IceDread

    SSCertifiable

    Points: 5000

    Disk encryption might protect the data from someone who does not know a lot about computres but if they search a bit they will find that disk encryption is not a stopper at all.

  • Jason Miller-476791

    SSCommitted

    Points: 1510

    People seem to forget the primary objective in data sercurity. If you cant secure the device (disk) physically, you cant secure anything.

    If the data is sensitive it shouldn't be on a laptop in the first place.

    Honor Super Omnia-
    Jason Miller

  • Andy sql

    SSCrazy Eights

    Points: 9378

    Encryption within a database is probably something I should do, but I don't for the simple reason that any client application that queries the data must (by definition) be able to decrypt the data. For most of my work, any attack vector would come from the client, so encryption is pointless.

    So, the only reason to encrypt a database is to protect it from other forms of access. For example, someone stealing the hard drive, or a backup of the database. Encryption maybe makes sense if the database is on a laptop. But, and this is a big but, the laptop will no doubt have a client installed on it which can read the data. So is anything really achieved???

    Other measures, such as not storing plain-text passwords, is far more worthwhile in my book.

    I'm willing to admit that I am no expert in this area - so if anyone can put forward an argument for using encryption, I'm listening....

    Andy

  • Samuel Clough

    Old Hand

    Points: 319

    The reality is we all know there is somebody out there who can break into just about anything. For example, the recent story of how even encrypted disks have the decryption key in RAM so a user could potentially grab that key out of memory on a stolen laptop that's running to read the data. While that's obviously a risk (especially if you carry government secrets or something) most thieves will probably dump the machine and move to an easier target. That's really what you're normally after anyway. The trick is to put up barriers and put up enough barriers to deter the quick hit which is what most thieves are after.

    I would think that if you have sensitive data on remote machines in a database it should be encrypted. Yes, the client app can decrypt the data, but the client application should have some authentication method before it just displays data. Yes, a brilliant computer scientist could reverse compile the client app and figure out how it's decrypting the data, but you're betting that most thieves will be frustrated and go on to the next easy hit. It just increases your odds against a true break in.

  • Jack Corbett

    SSC Guru

    Points: 184381

    I do not use any encrytpion on my personal laptop. Several people I know do. I have never used encryption in SQL Server because I have worked on in-house systems that, in theory, were physically secure. The danger was people having data in excel, etc... on their laptop, pda, or in their email.

    Where I work now we are discussing putting in a place a policy requiring encryption on any laptops used for business purposes. As there are folks with sensitive data with them. Even with this you still have the issue of jump drives, excel, and email. How do I keep a person from using a report I wrote to create an excel document that they then email to someone else in the company.

    I still think data security is about education and training. If the employee does not understand the data is sensitive then they are likely to share it.

    Jack Corbett
    Consultant - Straight Path Solutions
    Check out these links on how to get faster and more accurate answers:
    Forum Etiquette: How to post data/code on a forum to get the best help
    Need an Answer? Actually, No ... You Need a Question

  • IceDread

    SSCertifiable

    Points: 5000

    The fast hit thieves, sure, but if they know it is a government computre they might just sell it to someone they know that might be interrest and for that thief it's a quick hit.

  • gdelgado

    Old Hand

    Points: 366

    Here is what you do for databases. Deny decryption to the client login! Then force the client to use a stored procedure which itself is encrypted that executes as a user with decryption privileges only if certain proper parameters are passed in. Because the stored procedure is encrypted itself, even the dbo could not view the source, so make sure not to save the source file for this stored procedure on your laptop, where it can be found. Any secure development should probably never be saved on a laptop, just created WITH ENCRYPTION.

    Ultimately this could probably be hacked as well, but like some dude said if you cant guarantee the safety of the computer, you cant guarantee the safety of the data. Even if you have really really safe data, who is to say that the quantum computers of tomorrow wont be able to bruteforce right through it. So always remember to bolt down your computers to the floor and use auto triggered grenades if they become detached. The other important security concept is to keep up with the times, make sure you guys are using the latest unhacked algorithms.

  • jay-h

    SSCoach

    Points: 18816

    I have disk encryption (for some files) on my personal computer, we are planning to do encryption for company laptop, but are waiting for top management to make their determinations.

    Good disk encryption can vastly increase the difficulty of getting at information to the extent that the resources needed to extract the information are far beyond your attacker (there have even been criminal cases that were stymied by encryption).

    The RAM attack mentioned earlier is interesting, but requires a running, logged in computer to make use of it. If the computer is running with data mounted, trying to read the RAM is the least of your troubles.

    One thing of interest is an approach to 'rubber hose' decryption: multiple passwords where the initial password opens up a directory with files, but a 2nd passoword opens up the real stuff. An encrypted virtual disk with a 2nd level is mathematically indistinguishable from a virtual disk with empty space.

    ...

    -- FORTRAN manual for Xerox Computers --

  • SQLPhil

    SSCarpal Tunnel

    Points: 4204

    Encryption's a hot topic in our business at the moment. As we're a government agency and there have been a number of high profile news releases regarding loss of data and stolen laptops, encryption is being seen as the saviour to all our problems.

    Personally I don't know enough about data enryption to get involved in the process and add anything meaningful to this discussion, but I do believe that it is important to have all the information if you're going to embark on a particular solution. I just fear I may be bursting some bubbles in the process!

  • BJ Hermsen

    Hall of Fame

    Points: 3123

    Security. Hmmmm... I had a great discussion with a customer. They are all concerned with security as they had an intrusion last fall. Understand their concern. My issue is this...

    Lock down all the applications you want. Give access to only those that need it. But remember logical security is only as strong as a sawzall or concrete saw for getting into your data center. HOw many people have false cielings in their offices. Yeah... jump on the desk. remove a tile and chances are you can go over the wall into the server room in many places. On top of that... what do you allow your employees to bring in with them... NO USB pen drives... good... oh wait... they have a bluetooth keyboard and a cell phone that does BT... oh look my 2GB microsd in my cell is larger than most thumb drives. and with bt you can have the same functioality. Or better yet... cell phone cameras. Why take all the data. Take screen shots. It is all you need.

    Socially we are very open too. Any one you write a check to has your ABA, Account and bank information. They can then order checks for you and use them. Nice eh?

    i encrypt my drive for the sole purpose of my laptop getting stolen. It will deter most people from trying. Locks keep honest people honest. If they truly want somethign they will get it.

  • Miles Neale

    SSChampion

    Points: 13147

    To date I have not encrypted my hard drives but may soon. One consideration though is that I work for a state government and at some point will have all the data/documents on the machine indexed/scanned to determine what unstructured data I have on board. At that time I will need to have all documents that would be of interest to public disclosure available to be scanned/indexed. That puts limits on what I can do.

    I have encrypted data in databases and have either written or assisted n the engineering of a number of encryption tools. Some were basic self developed encryption algorithms and others were making the language specific encryption easier with public or private key stuff. That is always needed. One the database level encryption, that is coming.

    We need to be aware of what we need and what level of protection the data we secure should be. And then we should make it at least two ticks better then what we think.

    Not all gray hairs are Dinosaurs!

  • Vivien Xing

    SSChampion

    Points: 12297

    I would like have my laptop get protected/disk encrypted. It is another layer of protection. When DBA loses a laptop, it is more than a laptop. Although there is no database/sensitive data stored in the laptop as I have no such habit. But there are softwares/tools to manage databases.

    One of my workplace, all laptops are disk encrypted. I felt a relief when I had to carry the laptop with me after work.

    It is true no matter how encryption works, there is always a way to decrypt it. But at least, the security experts are working hard on it to make it difficult. We should have secure method to protect the disk in most cases.

  • Bob Abernethy

    SSCommitted

    Points: 1946

    No I don't lock my desk. I don't keep anything valuable in there anyway.

    Oh... er... nevermind.

    :laugh:

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic. Login to reply