Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: searching for encrypted fields in data columns

Re: searching for encrypted fields in data columns

From: Brian Peasland <dba_at_remove_spam.peasland.com>
Date: Mon, 1 Mar 2004 18:54:34 GMT
Message-ID: <404386EA.4D5AB0C4@remove_spam.peasland.com> 





> Why is encryption a requirement for your application? Encryption is for

> authentication and for secure communication in an insecure environment.




Not entirely so. There are many cases where encrypting the data in the
database has advantages. 



> Assuming the database server is located in a physically secure location and

> assuming you can use an encrypted network protocol what extra security

> benefit do you expect to gain from encryption in the database? 




Two reasons...



Firstly, to keep the data contents safe should your system ever be
hacked. There have been cases where data fell into the wrong hands. If
that data is in the wrong hands, should it be easily used? Those of us
who work in some federal govt sites now have a requirement to encrypt
personal information. Should a hacker gain access to credit cards,
social security numbers, etc., there are no problems if the data is
encrypted, unless you left the decryption keys out in the open too. No
matter how secure your database is, there will always be holes and
exploits that can be used to gain unwanted access. Encryption is the
next line of defense after good security policies. 



Secondly, you may want to encrypt data to secure that data even from
those who you have granted access to that data. For instance, a DBA has
basically free reign over the database and can see the data in that
database. As a DBA, do I really need to see someone's credit card number
or social security number? Of course not. The actual value of that data
is unimportant to my DBA tasks. So while I have access to the data, it
is a good idea that I can't see the real values. Therefore, encryption
is used. 



> Encrypted or

> not the data will still (only) be secured by an access control mechanism of

> some sort (a user name and password?). Why would access control be more

> secure if the data is encrypted than if it isn't?




Nothing is saying that one should bypass good access control mechanisms.
Security has many layers. If username/password were sufficient in
keeping unwanted individuals away from a machine or a database, then why
do you need a firewall? You need a firewall because userid/passwords are
not enough. You also need other methods of access control. Encrypting
the data is another method of access control. If you need access to the
data, just getting past the firewall and providing a valid
userid/password is not enough. You also need the decryption keys.




Cheers,


Brian





-- 
===================================================================

Brian Peasland
dba_at_remove_spam.peasland.com

Remove the "remove_spam." from the email address to email me.


"I can give it to you cheap, quick, and good. Now pick two out of
 the three"


Received on Mon Mar 01 2004 - 12:54:34 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US