WebApp Sec mailing list archives
RE: Encrypted storage
From: Matis <matis () vsustech com>
Date: Fri, 10 Sep 2004 17:18:15 +0300
THere is another solution offered by https://safe-mail.net which does encrypt all the data at the server level and the transmition. All the best, Matis Cohen -------- Original Message -------- From: "Browne, Derek" <Derek.Browne () emergis com> Apparently from: webappsec-return-4694-matis=vsustech.com () securityfocus com To: "Jeffrey Koniszewski" <jkoniszewski () kronos com>, <webappsec () securityfocus com> Subject: RE: Encrypted storage Date: Thu, 9 Sep 2004 09:40:16 -0400 Jeffrey, It would be suicide to attempt to encrypt all the data in the database...not only would there be a huge performance hit but how would you ever perform a search? There are a few good commercial options 1) Oracle Obfuscation kit 2) DBEncrypt 3) NAE network attached crypto resource 4) MS SQL 2004?2005?2006? Whatever will likely have column encryption as well Data classification is paramount and must be done a case-by-case basis. It is very hard (impossible?) to state that data of type X must always be protected with this control. You just have to choose what is appropriate for the task - sorry to waffle. The big problem - as with all crypto - is the key management issue. Also, most solutions protect the data at rest - when you start using it a cleartext view is created for performance reasons - it makes sense but you must be aware that your 'protected data' is clear in memory and in the swap file. Thanks Derek ____________________________ Derek Browne, CISSP derek.browne () emergis com Senior Security Consultant, CISO BCE Emergis 905-707-4001 x4787 NOTICE : This e-mail is confidential, privileged and intended for the exclusive use of the addressee. Any other person is strictly prohibited from disclosing, distributing or reproducing it. If you have received this e-mail by mistake, please notify us immediately by telephone and delete all copies -----Original Message----- From: Jeffrey Koniszewski [mailto:jkoniszewski () kronos com] Sent: Wednesday, September 08, 2004 4:39 PM To: webappsec () securityfocus com Subject: Encrypted storage I was wondering (because customers have asked me) whether anyone is configuring their database to store all information encrypted. Databases have this capability but the overhead can be so heavy that vendors don't recommend using it generically. Also, if most of the data is not sensitive it is a lot of work to protect small amounts of data. Is anyone aware of someone using this capability? Under what circumstances? What's the performance hit? What other gotchas? How about encrypted communication to the DB from the app server?
Current thread:
- Encrypted storage Jeffrey Koniszewski (Sep 08)
- Re: Encrypted storage Ido Rosen (Sep 09)
- Re: Encrypted storage Erik Kangas (Sep 09)
- Re: Encrypted storage Martin Sarsale (Sep 09)
- Re: Encrypted storage Shirokov Roman (Sep 09)
- <Possible follow-ups>
- RE: Encrypted storage Glenn_Everhart (Sep 09)
- RE: Encrypted storage Browne, Derek (Sep 10)
- RE: Encrypted storage Singh, Yashpal (Sep 10)
- RE: Encrypted storage Matis (Sep 11)
- Re: Encrypted storage Ido Rosen (Sep 09)