Encryption is addressed broadly in 4 areas now, email, the file system, the application, and the database:
- Email encryption has been possible for years, but there are new mechanisms being designed all the time for some reason. I often wonder how much mileage there really is in this.
- File system encryption is so simple that storage companies are building it in.
- People write their own applications, databases of course are just reasonably complex applications.
- written that way (it occasionally happens),
- protected by WAFs, or
- propietary code which no-one cares about enough to attack - security by obscurity.
Encrypting a database can only do so much. I thought it would be interesting to go over a few of the issues I've seen recently, so I'll do that over the Christmas turkey, and hope someone reads it.