John Mattson wrote:
Encrypting everything which goes out of the data center is expensive and/or uses lots of resources (same thing really), takes time, and complicates your disaster recovery. In addition none of these "encrypt all tape" solutions deals with threats inside the company, either employees, or hackers. So what's a better solution? Just how much data really NEEDS encryption? I submit for most businesses (eg. not financial institutions), very little.
As you mentioned credit cards, this is good example, when field encryption is used. It is a MUST. You are obliged to encrypt PIN numbers, so even people like database administrators cannot read them. Otherwise you won't get authorization from VISA/Mastercard/others. In many cases external "encryption boxes" are used for this purpose. In z/OS it is possible to use ICSF with encryption cards. Other fields, like customer password can be encrypted "one-way", however - again - encryption is a must.
Credit card numbers, and perhaps, names. If names are encrypted everything else, address, phone, and even credit cards become pretty much useless. Remember how often you are asked for "your name, as it appears on the credit card".
It was discussed in the past. Names, phone numbers and street adresses are available in telephone book in Poland, in other countries it is at least name and phone no. Your name and card number is available for everyone who receives the payment. Even U.S. SSN is available to many people - you provide the number when asked. It is no secret in fact. However even non-sensitive data when collected in huge amount are considered as secret. It is quite irrelevant why. Business, the people consider such data loss as loss of some secret. They DEMAND protection of bulk amounts of data. Similar problem was mentioned many times on the list: "user has read access to DATASET.A, how can I prevent from downloading the dataset using ftp or ind$file" So, user can read the file, can note some data on sheet of paper (or use brain as memory), but he is not allowed to download whole the file.
<joke> Customer database of Telco was lost! That could mean I lost my phonebook... </joke> -- Radoslaw Skorupka Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
