> I have just received a new project that requires very > sensitive information about assault victims to be stored in a > sql 2k database. I have already gotten the SSL up and > running but can anyone give me some ideas has to how you > might securely store/encrypt that information in the > database, such as full names, ssn's, addresses, etc.
This is a very complicated question, and any answers you get here are bound to be less than complete. Basically, though, the answers will depend on your threat profile. Specifically, what are the specific security problems that you're worried about? If you're worried about people from the outside getting access to this data, you will be concerned about encryption from within your application server, and key management within your application server. You can encrypt values from within CF and store them within the database, but your application server would presumably require the ability to decrypt those values later, so you'd need to store the key(s) used to encrypt and decrypt values within your application server code. Someone who compromises your server may be able to acquire those keys and decrypt values. One potential solution to this would be to have separate environments for encrypting and decrypting values - for example, you might accept values from a public server, which could have an encryption key, but you might limit viewing those encrypted records to a completely separate server, which would possess the decryption key. That would obviously require separate keys for both (http://en.wikipedia.org/wiki/Public_key) If you're worried about people within your organization getting access to this data, you will be concerned about limiting and segmenting administrative access to application server code and databases. You may also be concerned about encrypting network traffic between your application and database servers. Of course, everybody's concerned with the former at the expense of the latter, even though most security incidents involve your own employees rather than some big bad hacker. > I am using CF 6.1 You won't want to rely on CF 6.1's built-in encryption functionality, then. CF7 or higher include industry-standard encryption functionality. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:292289 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4