Thursday, 27 December 2007

Other encryption headaches

I was supposed to be telling you about issues I've faced recently with customers. I can't say too much, because of course everything I do gets turned into Product Management requests and either turned into new functionality, or we address it with partnerships, etc. either way, all very hush hush.

One other generic example which I have to give however is using encryption in conjunction with 3rd party apps and databases. Many 3rd party apps which use back-end databases connect to the database using just one user login. Of course, this means that anyone able to access the application potentially has access to any encrypted data. This can cause real headaches for me, and will continue to do so as compliance becomes more strict.

At present, PCI only dictates that sensitive data is encrypted, it doesn't talk about the mechanisms of the applications, which is probably where it has potential to fall down the most. A short aside here: I was speaking to a customer last week and they asked whether encrypting a database at the file level was in line with PCI. I replied that PCI was quite vague on this, and before I could go any further he replied "Oh, I find it quite the opposite." I had to bite my tongue quite hard. How irritating it is to be a bitter twisted security commentator AND have customers. I could have spent hours softening him up just to cut him down, but I just listened and realised how simple it would be to tell them I could do everything they need. The truth is, no-one can yet.

No comments: