Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: secure file handling

From: dave_boone007 () yahoo com
Date: 27 Jul 2005 12:35:32 -0000
Hi Alejandro,

As every technical response goes, the answer is "It depends".

If you're looking for entry-level protection, built-in file system level encryption can work.  Easily identifiable 
problems are 1) OS-level encryption typically is only as secure as the user account that has access to decrypt it, and 
2) OS-level encryption can cause loss of access to your data if you have a system crash and can't regenerate the key 
that originally encrypted them, and 3) OS-level encryption is typically not portable or scalable, i.e. hard to have 
encrypted grid computing or shared access.

If you're looking for secure file handling for a larger environment, you might want to consider some 3rd party products 
like those from NeoScale and Decru, that use AES 256-bit encryption.

If you're looking for decent security at a reasonable price, maybe look at GPG or PGP.

Probably the most solid solution I've seen has been the Decru DataFort accompanied with their DCS client software. (no, 
I don't work for them or own any shares.)  Their devices are tamper-resistant, where physical access causes the systems 
not to load the keys any more.  Some of their devices are equipped with a "panic button" where pressing this physical 
button deletes the encryption keys, making the data practically irretrievable.  Plus, with their DCS client software 
you can enforce policies to the client, ensuring only known software is running on them, and even control which 
processes can access certain files, not just which users.

That's the "Mack Daddy" solution, but most any encryption software will provide you with the two features you've asked 
for - confidentiality (no one without the encryption key can 'recover' your files), and data integrity (no one without 
the private encryption key can change the content of a file without there being evidence/corruption).  Data integrity 
can be achieved without encryption by 'signing' the files.  For example, something as simple as an MD5 checksum can be 
used to guarantee the files have not been modified.

Hope this helps,
Dave Boone, CISSP
Previous By Date Next
Previous By Thread Next

Current thread: