Re: Database Encryption (now required by law in Italy) - Mailing list pgsql-admin
| From | Silvana Di Martino |
|---|---|
| Subject | Re: Database Encryption (now required by law in Italy) |
| Date | |
| Msg-id | 200403052012.37564.silvanadimartino@tin.it Whole thread Raw |
| In response to | Re: Database Encryption (now required by law in Italy) (Mitch Pirtle <mitchy@spacemonkeylabs.com>) |
| Responses |
Re: Database Encryption (now required by law in Italy)
Re: Database Encryption (now required by law in Italy) |
| List | pgsql-admin |
Alle 15:00, venerdì 5 marzo 2004, Mitch Pirtle ha scritto: > My question is much more basic than that: Why encrypt anything beyond > passwords? If you secure the accounts on the machine, and encrypt all > network traffic to the machine (ssh, scp, ssl) then what additional > security can you add? The following: - protect your data from the "prying eyes" of your SysAdmins (our law imposes this kind of protection) - protect your data in case of hardware theft > I have servers in remote facilities all over the world. It is just not > possible for me to fly to each datacenter to be there at boot time when > I upgrade the kernel. I'd love the travel, but it is not feasible. Technically speaking, this is not required: - we could have a boot system that requires the password on the net to a "password server" or a human. A few network-based booting systems for diskless workstations do something like that already. We just need a network-based password system similar to Kerberos or DHCP. It does not exists yet, and it will be hard to implement, but it can be created. > Second, hard-disk encryption will only come into play if someone stole > the hardware, right? And even then, as long as the thing boots, then > they would have access! That is, unless we went back to the > human-required-at-boot scenario. See above. The laptop must ask for a password on the net. You just lock the password of any stolen/missing PC on your password server. > As a former CSO for an 18000-person company, I'm a horribly paranoid > person when it comes to security; but security that is easily bypassed > (or dificult-to-impossible to enforce) is just added effort, isn't it? That's why I did not vote Berlusconi: he is prone to enforce this kind of "security"... ;-) > Here is an idea to beat up on: how about having the end user of the > application supply the key that is used to decrypt their data, and only > their data? Take your basic, garden variety PHP website, for example. > > When the user is given an account, they are also given a password. This > password is also used as the key for the (blowfish, via mcrypt maybe?) > encryption of the data that gets stored for that person. If you do not > have that key, then you cannot decrypt their data. To boot, their key > is useless for everyone else's data as they used their own... This is not a solution: "delegated operators" must be able to access the data without bothering the data "owner" (that is: the person described by the data). They cannot (and must not) ask the owner to grant them access to the data every time they need to use them. > Excellent discussion, maybe we could all come up with a sort of best > practices for PostgreSQL and security :) I do hope so: this problem is going to affect a lot of SysAdmins EU-wide and deserves a standard solution. See you BTW: if you have a USA-based company and collect info regarding Italian people, you have to comply with this absurd Italian law. Funny, isn't it? ----------------------------------------- Alessandro Bottoni and Silvana Di Martino alessandrobottoni@interfree.it silvanadimartino@tin.it
pgsql-admin by date: