Understood, but encryption at rest only offers one level of protection. Without encryption in motion, there are more places for the data to be exposed.
Plus, it will be a relatively expensive activity from a performance standpoint. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jul 9, 2010 at 2:07 PM, Ziots, Edward <[email protected]> wrote: > ASB, > > > > They are only specifying encryption of the database, we would assume its at > rest, but it has to be unencrypted when its being utilized for the > application etc etc to read the data from the database itself. Encryption > at rest on the disk would be either SQL or the 3rd party disks, if they > needed encryption for the data returned from the DB server to the > application and back to the end-user, then a combination of IPSEC and SSL > and strong authentication should be used, along with proper database > security and auditing of user actions accordingly. > > > > I would look at it something like this: > > > > Task: Data at rest > > DB Server – Encryption of Backups > > > > Task Data in motion: IPSEC between the requesting application/service and > the database server (Use ESP) (assuming Web Server is only system that is > allowed to talk to DB server to request information, adjust accordingly) > > > > DB Server----IPSEC (ESP)------WEBSERVER-------SSL V3/TLSV1-----Client (2 > Factor > Authentication) > > (Strong Auditing of sensitive fields) > > Verification of Encrypted channel between DB and Web > > Protection of Web front end or middle tier from WEB application Attacks, > especially XSS/CSRF and SQLI (Either Source code review and fixing, or WAF > as a compensating control, until the code is fixed) > > No AD HOC reporting directly to the database. > > IPS/HIDS on the webserver/DB for defense in depth. > > > > Thoughts? Additional things you would look at in this type of architecture? > > > > > Z > > > > > > Network Engineer > > Lifespan Organization > > Email:[email protected] <email%[email protected]> > > Cell:401-639-3505 > > > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Friday, July 09, 2010 1:45 PM > > *To:* NT System Admin Issues > *Subject:* Re: Database Encryption > > > > The point is that you're only addressing the "data at rest" part of the > requirements, not the "data in motion" part. > > > -ASB: http://XeeSM.com/AndrewBaker > > On Fri, Jul 9, 2010 at 1:39 PM, Cameron Cooper <[email protected]> > wrote: > > Looking to protect the information on the MD3000, since that’s where all > the data is stored and accessed from. > > > > _____________________________ > > *Cameron Cooper* > > *Network Administrator | CompTIA A+ Certified* > > Aurico Reports, Inc > > Phone: 847-890-4021 | Fax: 847-255-1896 > > [email protected] | www.aurico.com > > > > *From:* Ken Schaefer [mailto:[email protected]] > *Sent:* Friday, July 09, 2010 12:26 PM > > > *To:* NT System Admin Issues > *Subject:* RE: Database Encryption > > > > What threat are you actually trying to protect against? The application > will need to access the data in cleartext (since you are not using in-field > encryption of data). So, the only threat that I can see you mitigating is > theft of the server, or theft of the disks in the server. You could just use > Bitlocker to handle that. > > > > Cheers > > Ken > > > > *From:* Cameron Cooper [mailto:[email protected]] > *Sent:* Saturday, 10 July 2010 1:21 AM > *To:* NT System Admin Issues > *Subject:* RE: Database Encryption > > > > We have two databases that we would be moving to SQL 2008. We would need > to purchase the per processor license due to clients nationwide accessing > our system. (ie checking reports) > > > > We are a pre-employment background screening company that is trying to get > accredited through the NAPBS, and from what I understand in order to become > accredited we need to have the entire database encrypted. > > > > _____________________________ > > *Cameron Cooper* > > *Network Administrator | CompTIA A+ Certified* > > Aurico Reports, Inc > > Phone: 847-890-4021 | Fax: 847-255-1896 > > [email protected] | www.aurico.com > > > > *From:* Ziots, Edward [mailto:[email protected]] > *Sent:* Friday, July 09, 2010 12:14 PM > *To:* NT System Admin Issues > *Subject:* RE: Database Encryption > > > > Two questions, > > > > One how many databases are you moving to SQL 2008, maybe there is the > ability to go with Enterprise Edition R2 for the transparent data > encryption you are seeking, and just have 1 database cluster accordingly ( > Active/ Passive). You don’t have to go per-processor for licensing, but Cal > management can be a pain otherwise. Especially if you have proxy boxes ( > webservers, other applications etc etc) connecting to the database backend, > then Per Processor solves a lot of your problems. > > > > Other than that, I know that RED Gate SQL backup, and Quests Litespeed can > produce encrypted backups. > > > > The second question, is why do you need to encrypt the whole database? why > not just encrypt the rows with the sensitive data itself, is this a PCI DSS > requirement they want you to do ? Could not the backups themselves be > encrypted to meet the requirements? > > > > Just some thoughts on this thread… > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:[email protected] <email%[email protected]> > > Cell:401-639-3505 > > > > *From:* Cameron Cooper [mailto:[email protected]] > *Sent:* Friday, July 09, 2010 12:32 PM > *To:* NT System Admin Issues > *Subject:* Database Encryption > > > > All, > > > > We are looking to replace our database servers with new hardware and > software and will be running Windows Server 2008 R2 Enterprise Edition > (64bit), with SQL Server 2008 R2 Standard on each machine. Also, each > machine connects into a MD3000. > > > > What would be the best way to encrypt the entire database? I know this can > be done with the enterprise version of SQL Server 2008 R2, but due to the > cost per processor (for unlimited CALs), we will be going with the Standard > edition. > > > > > > > > > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
