Firewall Wizards mailing list archives
Re: DMZ databases
From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 30 Mar 2000 07:30:11 -0800 (PST)
On Wed, 29 Mar 2000, Scott, Richard wrote:
Greetings all, I was wondering what forms of database security anyone out there is currently recommending for Customer held information in public databases. One example could be Social Security numbers, another would be Credit Cards information and so on. I have seen some solutions use the SQL encrypt/decrypting (e/d) of a stored procedure to access this information. However, in the even that the SQL box is compromised internally, this isn't affective. Using symmetric encryption is the problem. Where do we store the keys, and if we write a procedure to e/d the data., surely this could be executed by the person compromising the Database.
Depends on what you need to do with the data. If you need the data in the clear, then the app needs to be able to decrypt it, no way around it. For example, if you're trying to allow customers to make purchases via credit card, and not have to re-enter the card each time, then someone has to store the card number somewhere. Some places would like that to be on a credit card clearing service's server, on the assumption that they are more careful with that stuff. If you only need to verify or look up based on the customer giving you a SSN or CC# each time they come in, ala a password, then you can store a hash of it. Ryan
Current thread:
- Re: DMZ databases Ryan Russell (Apr 10)
- <Possible follow-ups>
- RE: DMZ databases Scott, Richard (Apr 10)
- RE: DMZ databases Ryan Russell (Apr 10)