Re: Securing encrypted data in RAM vs MSSQL

[Lucas Holt <luke () foolishgames com>]

> > Hello All,
> >
> > Is anyone aware of a way to store encrypted sensitive data in RAM for
> > access via a web application using ASP?  It would be posted in the
> > same manner. Is storing in RAM preferable to using an encrypted
> > database, in this case SQL 2000?
> > Is there anyway to securely delete or timeout the data after a
> > certain period of time?
> > If you discard the data are there potential problems with California
> > SB 1386 and being able to track intrusions and possible data
> > compromise?
> >
> > I'm not a developer, but want a better solution than what the
> > developers and client have proposed.

Storing data in ram presents some issues.  First, if you need to save 
the data for reuse long term then it must be backed up on some type of 
media like a DVD or hard disk.  When the power goes out, you lose the 
data if its in ram.  Second, if you are trying to prevent it from being 
accessible to attack then memory storage is no guarantee.  you must 
have a data structure to store the data and therefore it can be 
obtained by attacking your app just as someone could attack a sql 
server.  Anything in memory is still accessible to someone who gets 
access to the box via webserver vulnerabilities, os vulnerabilites, 
etc.  It doesn't really save you much.  Third, you are limited to x 
number of connections based on the amount of ram and size of the 
session you wish to store.  Granted other factors limit the number of 
concurrent users like bandwidth, etc.




Lucas Holt
Luke () FoolishGames com
________________________________________________________
FoolishGames.com  (Jewel Fan Site)
JustJournal.com (Free blogging)