Thanks for your responses. thanks for the things to think about in terms of security and encryption:
our infrastructure is that our company provides online software and we will host the application and database. the only way the clients can access the database is through the software, where we have lots of security. we will not have to access any of their data, unless it is for bug fixing etc... we also provide it in a top security hosting environment so the protection i had in mind was in case someone hacked into it over the network (i am sure i should be thinking more in terms of firewalls when it comes to this), is there anything else in terms of this threat that we need to think about? i dont think we will ever need to allow our clients to store offsite backup media but we will still encrypt all backup media, so this shouldnt be an issue does it appear there are any threats i am missing? or be programming for good point about the encryption key will be in the software. we also seperate the coldfusion app from the database and stored on separate servers. so we could manage who has access to what servers and encrypt the database fields then it could provide additional security against internal threats. have i got it right that encrypting certain fields in the database for external security is only worth it if we feel that someone could steal the server? i really appreciate your help with this richard > > however what do you do with the live database? > > You can't effectively encrypt the database itself. You could encrypt > and decrypt field values from within CF, but that doesn't guarantee > the security of your data, as the encryption key would be stored > within your CF app. > > > i don't know much about this area and would appreciate any guidance > on what i need to be > looking at, searching for, and thinking about. > > The most important question is, what threats are you trying to protect > against? > > Are you concerned with internal threats? Rogue database > administrators? Someone getting access to offsite backup media? Those > are the typical threat profiles that would provide justification for > database encryption. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314177 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
