On Sep 14, 2017, at 10:43 AM, John McKown <[email protected]> wrote: > > IMO, encrypting data is a very good defense. Another good defense is > hiring competent people rather than inexpensive people and giving them the > time to design, code, and test their solutions. I don't have statistics, > but many attacks are based on coding errors such as the infamous "SQL > Injection" attacks. On the almost hilarious attacks which succeed because > "whomever" didn't bother to configure the security on some piece of > equipment, and left the administrator credentials as "admin/admin". Of > course, the people & time requirements that I mentioned "cost too much" and > "delay time to market". Today's world is based on think up something in the > morning, design over lunch, create before dinner, ship the next morning. >
When I gave a presentation about encryption to our programmers a few years back, one thing I said was “Encryption never solves your problem. Instead, it transforms your problem into a different problem, which may be easier to solve.” (I was thinking specifically about key management, but even that’s not the whole story.) The important point here is that just throwing encryption at a security issue doesn’t resolve it. Encryption is a valuable tool that properly used can be a significant part of a security solution, but by itself doesn’t magically solve anything. -- Pew, Curtis G [email protected] ITS Systems/Core/Administrative Services ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
