Understood, but encryption at rest only offers one level of protection.

Without encryption in motion, there are more places for the data to be
exposed.

Plus, it will be a relatively expensive activity from a performance
standpoint.

-ASB: http://XeeSM.com/AndrewBaker


On Fri, Jul 9, 2010 at 2:07 PM, Ziots, Edward <[email protected]> wrote:

>  ASB,
>
>
>
> They are only specifying encryption of the database, we would assume its at
> rest, but it has to be unencrypted when its being utilized for the
> application etc etc to read the data from the database itself.  Encryption
> at rest on the disk would be either SQL or the 3rd party disks, if they
> needed encryption for the data returned from the DB server to the
> application and back to the end-user, then a combination of IPSEC and SSL
> and strong authentication should be used, along with proper database
> security and auditing of user actions accordingly.
>
>
>
> I would look at it something like this:
>
>
>
> Task: Data at rest
>
> DB Server – Encryption of Backups
>
>
>
> Task Data in motion: IPSEC between the requesting application/service and
> the database server (Use ESP)  (assuming Web Server is only system that is
> allowed to talk to DB server to request information, adjust accordingly)
>
>
>
> DB Server----IPSEC (ESP)------WEBSERVER-------SSL V3/TLSV1-----Client (2 
> Factor
> Authentication)
>
> (Strong Auditing of sensitive fields)
>
> Verification of Encrypted channel between DB and Web
>
> Protection of Web front end or middle tier from WEB application Attacks,
> especially XSS/CSRF and SQLI (Either Source code review and fixing, or WAF
> as a compensating control, until the code is fixed)
>
> No AD HOC reporting directly to the database.
>
> IPS/HIDS on the webserver/DB for defense in depth.
>
>
>
> Thoughts? Additional things you would look at in this type of architecture?
>
>
>
>
> Z
>
>
>
>
>
> Network Engineer
>
> Lifespan Organization
>
> Email:[email protected] <email%[email protected]>
>
> Cell:401-639-3505
>
>
>
> *From:* Andrew S. Baker [mailto:[email protected]]
> *Sent:* Friday, July 09, 2010 1:45 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Database Encryption
>
>
>
> The point is that you're only addressing the "data at rest" part of the
> requirements, not the "data in motion" part.
>
>
> -ASB: http://XeeSM.com/AndrewBaker
>
>  On Fri, Jul 9, 2010 at 1:39 PM, Cameron Cooper <[email protected]>
> wrote:
>
> Looking to protect the information on the MD3000, since that’s where all
> the data is stored and accessed from.
>
>
>
> _____________________________
>
> *Cameron Cooper*
>
> *Network Administrator | CompTIA A+ Certified*
>
> Aurico Reports, Inc
>
> Phone: 847-890-4021 | Fax: 847-255-1896
>
> [email protected] | www.aurico.com
>
>
>
> *From:* Ken Schaefer [mailto:[email protected]]
> *Sent:* Friday, July 09, 2010 12:26 PM
>
>
> *To:* NT System Admin Issues
> *Subject:* RE: Database Encryption
>
>
>
> What threat are you actually trying to protect against? The application
> will need to access the data in cleartext (since you are not using in-field
> encryption of data). So, the only threat that I can see you mitigating is
> theft of the server, or theft of the disks in the server. You could just use
> Bitlocker to handle that.
>
>
>
> Cheers
>
> Ken
>
>
>
> *From:* Cameron Cooper [mailto:[email protected]]
> *Sent:* Saturday, 10 July 2010 1:21 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Database Encryption
>
>
>
> We have two databases that we would be moving to SQL 2008.  We would need
> to purchase the per processor license due to clients nationwide accessing
> our system. (ie checking reports)
>
>
>
> We are a pre-employment background screening company that is trying to get
> accredited through the NAPBS, and from what I understand in order to become
> accredited we need to have the entire database encrypted.
>
>
>
> _____________________________
>
> *Cameron Cooper*
>
> *Network Administrator | CompTIA A+ Certified*
>
> Aurico Reports, Inc
>
> Phone: 847-890-4021 | Fax: 847-255-1896
>
> [email protected] | www.aurico.com
>
>
>
> *From:* Ziots, Edward [mailto:[email protected]]
> *Sent:* Friday, July 09, 2010 12:14 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Database Encryption
>
>
>
> Two questions,
>
>
>
> One how many databases are you moving to SQL 2008, maybe there is the
> ability to go with Enterprise Edition R2  for the transparent data
> encryption you are seeking, and just have 1 database cluster accordingly (
> Active/ Passive).  You don’t have to go per-processor for licensing, but Cal
> management can be a pain otherwise. Especially if you have proxy boxes (
> webservers, other applications etc etc) connecting to the database backend,
> then Per Processor solves a lot of your problems.
>
>
>
> Other than that, I know that RED Gate SQL backup, and Quests Litespeed can
> produce encrypted backups.
>
>
>
> The second question, is why do you need to encrypt the whole database? why
> not just encrypt the rows with the sensitive data itself, is this a PCI DSS
> requirement they want you to do ? Could not the backups themselves be
> encrypted to meet the requirements?
>
>
>
> Just some thoughts on this thread…
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Network Engineer
>
> Lifespan Organization
>
> Email:[email protected] <email%[email protected]>
>
> Cell:401-639-3505
>
>
>
> *From:* Cameron Cooper [mailto:[email protected]]
> *Sent:* Friday, July 09, 2010 12:32 PM
> *To:* NT System Admin Issues
> *Subject:* Database Encryption
>
>
>
> All,
>
>
>
> We are looking to replace our database servers with new hardware and
> software and will be running Windows Server 2008 R2 Enterprise Edition
> (64bit), with SQL Server 2008 R2 Standard on each machine.  Also, each
> machine connects into a MD3000.
>
>
>
> What would be the best way to encrypt the entire database?  I know this can
> be done with the enterprise version of SQL Server 2008 R2, but due to the
> cost per processor (for unlimited CALs), we will be going with the Standard
> edition.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to