[dba-SQLServer] Re: Security & encryption

Charlotte Foust cfoust at infostatsystems.com
Tue May 10 13:11:09 CDT 2005


LOL
I had a user at the US Bureau of Reclamation who did that with his PC
login ... In spite of the rules against it.  Only he kept it on a sticky
note under his mouse pad!

Charlotte Foust


-----Original Message-----
From: Francisco Tapia [mailto:fhtapia at gmail.com] 
Sent: Tuesday, May 10, 2005 9:47 AM
To: SQL Server 2k List
Cc: dba-sqlserver at databaseadvisors.com
Subject: [dba-SQLServer] Re: Security & encryption


So data would only be as safe as the user's memory for their Pwd. So 
Technically the entire columns or rows could be encrypted within the
sproc 
and the user's choice of pwd but also w/o storing the pwd used. 

Thinking more technically on this, the entire HR dept would need access
to 
these screens right? or a certain number of people in HR would need
access, 
thus 2 or more people would possibly know the pwd, possibly writting it
down 
in a memo pad and end up storing it under their keyboard... :|




---------- Forwarded message ----------
From: Gavin <gavin at cobraball.co.uk>
Date: May 10, 2005 9:33 AM
Subject: Re: Security & encryption
To: SQL Server 2k List <sql2k at ls.sswug.org>

You could make it so part of the encryption key was a value that only
the 
user knew and had to type in every time they used the application so
even if 
you had the decryption code and the data in the database you'd never be
able 
to make clear text again.
 However if they forgot their key and you had no admin user or key then 
you'd never get your data back, in a truly secure system there's
purposely 
no way around this.
  This system would allow you to write the front end application but
still 
not read the data it handled.
      
----- Original Message ----- 
*From:* Francisco Tapia <fhtapia at gmail.com> 
*To:* SQL Server 2k List <sql2k at ls.sswug.org> 
*Cc:* roz.clarke at donnslaw.co.uk ; dba-sqlserver at databaseadvisors.com 
*Sent:* Tuesday, May 10, 2005 5:25 PM
*Subject:* Re: Security & encryption

Oh, I hadn't thought of that. If it is encrypted at the Front end, as a
DBA 
you'd still be able to get to the data tho...


On 5/10/05, Gavin <gavin at cobraball.co.uk> wrote: 
> 
> It could very easily be done if the encryption is handled purely in 
> the
> front end application.
>  While possible to encrypt a whole table you'd need to ask yourself
how 
> you'd join on its columns or write your where clauses and still
benefit from 
> the client/server model.
>  You could even encrypt everything in your SQL Server database but the

> overhead in network traffic and client processing would be huge.
>      
>  ----- Original Message -----
> *From:* Francisco Tapia <fhtapia at gmail.com> 
> *To:* SQL Server 2k List <sql2k at ls.sswug.org> 
> *Cc:* roz.clarke at donnslaw.co.uk 
> *Sent:* Tuesday, May 10, 2005 5:14 PM 
> *Subject:* Fwd: Security & encryption
> 
> I'm forwarding this message on to this list because I think the author

> of
> the original post would receive a better response from this group... I
am 
> also curious how a dba could encrypt a whole table (or set of tables)
and 
> lock themselves out of it.. :|
> 
> 
> ---------- Forwarded message ----------
> From: Roz Clarke <roz.clarke at donnslaw.co.uk>
> Date: May 10, 2005 2:04 AM
> Subject: Security & encryption 
> To: 
> Hi all
> 
> This may or may not be slightly OT... We have been asked by our HR 
> department whether it's possible for us to build a storage facility 
> for confidential data (such as salary information), that is encrypted 
> and that
> 
> neither we nor the network administrators could get into once it's 
> gone live. Ideally it would be integrated with their current 
> application which is Access 2002 FE / SQL Server 7.0 BE.
> 
> How do I build an encrypted database that I can then lock myself out 
> of
> completely?! Without locking everyone else out too (that I've done 
> before).
> 
> Management are willing to spend some money if necessary.
> 
> TIA
> 
> Roz
> 
> 

-- 
-Francisco
http://pcthis.blogspot.com |PC news with out the jargon!
http://sqlthis.blogspot.com | Tsql and More...
_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com




More information about the dba-SQLServer mailing list