Re: Use of Informix with Protegrity/Omnisecure Encryption




From: Fernando Nunes <spam@xxxxxxxxxxxxxxx>

My news server is sooooo bad... I've lost that message...
>
> The downside to using this encryption package is that it will kill
> performance. Now that could be mitigated by either using a hardware

A quick note... Currently there are a lot of things that kill performance...
If you have to be SOX compliant, many times performance won't be your first priority...

Well so will writing piss poor queries. The point is that you kill performance yet you do not increase security.


So... you never had the chance to try mixing chunks from two instances? Or see somebody create a fs on top of your raw devices?
Lucky guy :)

Well, thats because when I do my work, I document everything and I try to work in tandem with the sysadmins so that they know which raw partitions are mine. ;-)

Also leave a set of laminated system documents so that there is no excuse for writing on a chunk and also get the client's DBAs and SysAdmins to agree upon proper policy and procedure so that "accidents" like you mention don't happen and if they did, someone would be shot. ;-)

In fact it's very difficult if not impossible to solve the "root" problem.

Sigh.

Typical IBMer. You've missed the point.

Look, once someone has gained root access to any UNIX/LINUX machine there isn't a lot that anyone can do to stop him/her from screwing things up.

The Original Poster said that they are implementing a solution that encrypts/decrypts the io as it is written to the disk. If you think about this, if someone were to steal the data in the database, encrypting the physical disk does nothing for security. If you have a compromised machine and that person knows the root password they can then su - to anyone and gain access to the Informix database. Bypassing the encryption entirely.

Thus you degrade performance for zero gain!

If you want to encrypt something within the database, you have to use the features of the database.


> Almost 10 years ago, I made a suggestion to Diane Fraiman and a couple
> of then execs. I told them that they should focus on adding more
> security to the database like encryption in the database. The then
> person in charge of the I.Sell stuff (I forget the maroons name) laughed
> it off. Saying that the majority of store thefts came from insiders so
> this wouldn't be of any value.

Times changed... With all the "compliance wave" that is currently dictating some major concerns and priorities they would probably react differently.
It's a completely different issue, but if you check about LBAC (possibly in Cheetah or future versions) you'll know what I mean.


LOL... You can lead a horse to water but you can't make them drink.

Part of running a business is being able to spot trends and to have products in place before your competition and to be proactive with your customers.

The funny thing was that I told them that there would be problems with security and websites.
They said let the application handle it. And that there wasn't a need to put encryption within the engine.
Now there was a certain PhD working for Informix who was involved in the NAG datablade. Terry told a story about one of his projects which again reflected the need for encryption within the database. This was around 2001.

Why IBM didn't do it remains a "mystery". Ok not a mystery. Just something we can't talk about in polite company. ;-)

The bottom line is that whomever made the decision to shackle the DBAs to this Protegrity product didn't think things through. It does nothing to secure your database data.

_________________________________________________________________
Search for grocery stores. Find gratitude. Turn a simple search into something more. http://click4thecause.live.com/search/charity/default.aspx?source=hmemtagline_gratitude&FORM=WLMTAG

.