Re: Data Encryption
basically our security entails a VPN between the database server and software server, firewalls, application firewalls, an SSL between the client machine and software server, and all of the usual CF security... however there are rules in some countries that medical data must be encrypted in the database, i agree that i cannot see the threat this directly targets! And don't forget the network traffic between the server and the DB. Which can be encrypted using MS encryption libraries for a ... ahem ... small fee. It doesn't cost anything (except your time) to set up an IPsec tunnel between two Windows machines. And SQL Server natively supports SSL/TLS as well. But more to the point, yes, that's another threat profile to consider. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:343517 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Data Encryption
On Mon, Apr 4, 2011 at 5:16 AM, Richard White rich...@j7is.co.uk wrote: basically our security entails a VPN between the database server and software server, firewalls, application firewalls, an SSL between the client machine and software server, and all of the usual CF security... however there are rules in some countries that medical data must be encrypted in the database, i agree that i cannot see the threat this directly targets! I'd look a little deeper into the specific requirement before going to a blanket goal to encrypt everything. I suspect only certain medical data needs to be protected, and/or only personally identifiable medical information. Primary keys (for example) are not medical information. -Cameron -- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: camer...@gmail.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:343528 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Data Encryption
Hi, is there a way to encrypt all data stored in a MySQL database. we tried to encode all data but realised it cannot be done on integer fields etc... would appreciate any help What exactly is the threat profile you're trying to address by encryption? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:343458 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Data Encryption
good question! purely regulations of medical authorities! Hi, is there a way to encrypt all data stored in a MySQL database. we tried to encode all data but realised it cannot be done on integer fields etc... would appreciate any help What exactly is the threat profile you're trying to address by encryption? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:343459 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Data Encryption
purely regulations of medical authorities! If your goal is simply to be able to say that data is encrypted, you could simply store the database files on an encrypting filesystem of some sort. But that wouldn't really prevent people from reading them assuming those people didn't just steal the hard drive from the computer. If your goal is to prevent people from accessing the database directly, that's less a matter of encryption and more of limiting access to ports, using logins, etc. If your goal is to prevent people from accessing the database maliciously from your web application, then you typically have to (a) use PKI and (b) limit what you can do with the key that your application will presumably possess. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:343461 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Data Encryption
And don't forget the network traffic between the server and the DB. Which can be encrypted using MS encryption libraries for a ... ahem ... small fee. -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Friday, April 01, 2011 10:10 AM To: cf-talk Subject: Re: Data Encryption purely regulations of medical authorities! If your goal is simply to be able to say that data is encrypted, you could simply store the database files on an encrypting filesystem of some sort. But that wouldn't really prevent people from reading them assuming those people didn't just steal the hard drive from the computer. If your goal is to prevent people from accessing the database directly, that's less a matter of encryption and more of limiting access to ports, using logins, etc. If your goal is to prevent people from accessing the database maliciously from your web application, then you typically have to (a) use PKI and (b) limit what you can do with the key that your application will presumably possess. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:343463 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Data Encryption
And don't forget the network traffic between the server and the DB. Which can be encrypted using MS encryption libraries for a ... ahem ... small fee. It doesn't cost anything (except your time) to set up an IPsec tunnel between two Windows machines. And SQL Server natively supports SSL/TLS as well. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:343466 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Data Encryption
And don't forget the network traffic between the server and the DB. Which can be encrypted using MS encryption libraries for a ... ahem ... small fee. It doesn't cost anything (except your time) to set up an IPsec tunnel between two Windows machines. And SQL Server natively supports SSL/TLS as well. But more to the point, yes, that's another threat profile to consider. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:343467 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Data encryption in MS SQL Server
Apologies if anyone gets this twice... I posted this morning using the Fuseware NNTP mirror, but now 12 hours later my message is still not showing up in the archives, so I presume it got a little lost :) Bosky, Dave wrote: What are some encryption methods that can be used on sensitive data before storing it in a MS SQL Server 2000 database? How is everyone else storing information such as credit card data and personal billing information? The company I work for sells a couple of tags - cfx_pwtextcrypt and cfx_pwcardcrypt - that do asymmetric RSA encryption. The only down side is that to remain totally secure, the private key must be stored offline and human intervention is required for decrypting - so it's good for things like periodic credit card batching (we developed it initially for a subscription system). http://developer.perthweb.com.au HTH, Kay. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.