Re: Database Encryption (now required by law in Italy)

Alle 15:00, venerdì 5 marzo 2004, Mitch Pirtle ha scritto:
> My question is much more basic than that: Why encrypt anything beyond
> passwords? If you secure the accounts on the machine, and encrypt all
> network traffic to the machine (ssh, scp, ssl) then what additional
> security can you add?

The following:
- protect your data from the "prying eyes" of your SysAdmins (our law imposes
this kind of protection)
- protect your data in case of hardware theft

> I have servers in remote facilities all over the world. It is just not
> possible for me to fly to each datacenter to be there at boot time when
> I upgrade the kernel. I'd love the travel, but it is not feasible.

Technically speaking, this is not required:
- we could have a boot system that requires the password on the net to a
"password server" or a human. A few network-based booting systems for
diskless workstations do something like that already. We just need a
network-based password system similar to Kerberos or DHCP. It does not exists
yet, and it will be hard to implement, but it can be created.

> Second, hard-disk encryption will only come into play if someone stole
> the hardware, right? And even then, as long as the thing boots, then
> they would have access! That is, unless we went back to the
> human-required-at-boot scenario.

See above. The laptop must ask for a password on the net. You just lock the
password of any stolen/missing PC on your password server.

> As a former CSO for an 18000-person company, I'm a horribly paranoid
> person when it comes to security; but security that is easily bypassed
> (or dificult-to-impossible to enforce) is just added effort, isn't it?

That's why I did not vote Berlusconi: he is prone to enforce this kind of
"security"... ;-)

> Here is an idea to beat up on: how about having the end user of the
> application supply the key that is used to decrypt their data, and only
> their data? Take your basic, garden variety PHP website, for example.
>
> When the user is given an account, they are also given a password. This
> password is also used as the key for the (blowfish, via mcrypt maybe?)
> encryption of the data that gets stored for that person. If you do not
> have that key, then you cannot decrypt their data. To boot, their key
> is useless for everyone else's data as they used their own...

This is not a solution: "delegated operators" must be able to access the data
without bothering the data "owner" (that is: the person described by the
data). They cannot (and must not) ask the owner to grant them access to the
data every time they need to use them.

> Excellent discussion, maybe we could all come up with a sort of best
> practices for PostgreSQL and security :)

I do hope so: this problem is going to affect a lot of SysAdmins EU-wide and
deserves a standard solution.

See you

BTW: if you have a USA-based company and collect info regarding Italian
people, you have to comply with this absurd Italian law. Funny, isn't it?

-----------------------------------------
Alessandro Bottoni and Silvana Di Martino
alessandrobottoni(at)interfree(dot)it
silvanadimartino(at)tin(dot)it