Re: Database Encryption (now required by law in Italy)

Alle 09:10, venerdì 5 marzo 2004, Radu-Adrian Popescu ha scritto:
> Are you sure you need to encrypt the _database_ ? It seems strange to
> require encryption
> of all the data, as you would get using LoopAES. I think you only need
> to decide (and probably
> the privacy protection law stipulates this) what data you need to
> encrypt and store that data
> encrypted in the database; such as customer's names, addresses, social
> data, payment data
> and so on. On the other hand, I think you should be doing this anyway.
> I know we are :-)

Deciding which data are relevant is not easy. The law stipulates that all of
the "personal data" have to be encrypted and that "personal data" are the
data that allow a "spy" to infer any of the following information about a
person:
- identity
- age
- health status
- political orientation
- religious faith
- address
- phone number
- email address
- and a few more...
As you can see, almost everything is a "personal data". At least, almost
everything worth to be stored in a database is.

We just think it is easier and safer to encrypt the whole database, or even
the whole disk, than try to understand what the law actually means.

At the moment, our data are on a server protected by a firewall and accessible
just by authorized people. This was clearly declared as being "sufficient" by
the italian law until December 2003. The new law, instead, clearly states
that personal data have to be encrypted even when stored in a safe place like
that.

See you
-----------------------------------------
Alessandro Bottoni and Silvana Di Martino
alessandrobottoni(at)interfree(dot)it
silvanadimartino(at)tin(dot)it