On Thu, 25 Aug 2011, [email protected] wrote:
On Thu, 25 Aug 2011, [email protected] wrote:
In the message dated: Wed, 24 Aug 2011 20:44:37 PDT,
The pithy ruminations from [email protected] on
<Re: [lopsa-tech] MySQL and Encryption> were:
This scheme probably has more holes than a piece of Swiss cheese...but it
may
be better than the alternatives of putting keys into text files to be read
at
boot time, or manually entering many keys on different machines at 3AM.
What do you think?
this is definantly better than anything that I've seen shipped for data
encryption.
you still have the issue of where the keys to the cert that the dbserver
usees to talk to the keyserver are stored, but it means that stealing the DB
server (or it's disk) s no longer enough, you also need to steal (or
otherwise get access to) the keyserver, and the kyserver can be locked down
with FIPS 140 type protections
thinking about this a bit more, if the central keyserver just passes the
key out whenever it's asked based on the PKI authenticated request, it's
of limited protection against someone in your network.
but this can be significantly improved with additional checking on the
keyserver.
things like:
check the IP of the requester as well as the key (preventing the key from
being stolen and used from a different machine)
take advantage of the fact that key requests should be very rare
require that the key request be manually approved (which can include a
"we're starting everything, do a blanket approval for the next 20 minutes"
option)
rate limit the approvals
audit the approvals (a weekly report to management listing what keys
were accessed and asking for a justification for each one, most weeks such
a report will be blank so it's usually very little work. this will find
the problem after the fact, but since the data needs to be stolen as well
as the key, you may catch someone tho got the key before they get the
data)
David Lang
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
