Thursday, 20 December 2007

Talking turkey

Back when firewalls were all the rage, people talked about encryption like it was panacea. It seemed so far off, so complex and so difficult to achieve that it was revered far too much. Of course, encryption turned out not to be the be all and end all of security. Of course to BE secure, encryption helps, as part of a whole system of in-depth, defense in layers - but there are many more points to security after you've hidden the data.

Encryption is addressed broadly in 4 areas now, email, the file system, the application, and the database:
  • Email encryption has been possible for years, but there are new mechanisms being designed all the time for some reason. I often wonder how much mileage there really is in this.
  • File system encryption is so simple that storage companies are building it in.
  • People write their own applications, databases of course are just reasonably complex applications.
What needs addressing is the management of keys used by these applications, and the security of the applications themselves. Most applications are too small to be an issue, secure because they are:
  • written that way (it occasionally happens),
  • protected by WAFs, or
  • propietary code which no-one cares about enough to attack - security by obscurity.
But what I'm seeing now, as I am called to a number of sites around Europe to handle keys for encrypting inside databases, is that the databases themselves are badly designed, inherently insecure, and need a whole lot of extra help.

Encrypting a database can only do so much. I thought it would be interesting to go over a few of the issues I've seen recently, so I'll do that over the Christmas turkey, and hope someone reads it.

No comments: