Alle 15:00, venerd� 5 marzo 2004, Mitch Pirtle ha scritto:
> My question is much more basic than that: Why encrypt anything beyond
> passwords? If you secure the accounts on the machine, and encrypt all
> network traffic to the machine (ssh, scp, ssl) then what additional
> security can you add?
The following:
- protect your data from the "prying eyes" of your SysAdmins (our law imposes
this kind of protection)
- protect your data in case of hardware theft
> I have servers in remote facilities all over the world. It is just not
> possible for me to fly to each datacenter to be there at boot time when
> I upgrade the kernel. I'd love the travel, but it is not feasible.
Technically speaking, this is not required:
- we could have a boot system that requires the password on the net to a
"password server" or a human. A few network-based booting systems for
diskless workstations do something like that already. We just need a
network-based password system similar to Kerberos or DHCP. It does not exists
yet, and it will be hard to implement, but it can be created.
> Second, hard-disk encryption will only come into play if someone stole
> the hardware, right? And even then, as long as the thing boots, then
> they would have access! That is, unless we went back to the
> human-required-at-boot scenario.
See above. The laptop must ask for a password on the net. You just lock the
password of any stolen/missing PC on your password server.
> As a former CSO for an 18000-person company, I'm a horribly paranoid
> person when it comes to security; but security that is easily bypassed
> (or dificult-to-impossible to enforce) is just added effort, isn't it?
That's why I did not vote Berlusconi: he is prone to enforce this kind of
"security"... ;-)
> Here is an idea to beat up on: how about having the end user of the
> application supply the key that is used to decrypt their data, and only
> their data? Take your basic, garden variety PHP website, for example.
>
> When the user is given an account, they are also given a password. This
> password is also used as the key for the (blowfish, via mcrypt maybe?)
> encryption of the data that gets stored for that person. If you do not
> have that key, then you cannot decrypt their data. To boot, their key
> is useless for everyone else's data as they used their own...
This is not a solution: "delegated operators" must be able to access the data
without bothering the data "owner" (that is: the person described by the
data). They cannot (and must not) ask the owner to grant them access to the
data every time they need to use them.
> Excellent discussion, maybe we could all come up with a sort of best
> practices for PostgreSQL and security :)
I do hope so: this problem is going to affect a lot of SysAdmins EU-wide and
deserves a standard solution.
See you
BTW: if you have a USA-based company and collect info regarding Italian
people, you have to comply with this absurd Italian law. Funny, isn't it?
-----------------------------------------
Alessandro Bottoni and Silvana Di Martino
[EMAIL PROTECTED]
[EMAIL PROTECTED]
---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?
http://www.postgresql.org/docs/faqs/FAQ.html
