Re: Encryption and Data Retention

["jacco" <computerguy () citlink net>]

Hi S0h0us,

Let me start with: your description on how it happens and what exactly is
the level of confidentiality of the data will very much influence the
outcome of this story.


> From reading your letter I see both your points; if the information is of
confidential level,security should be taking presence over speed,it is like
saying "lets leave the front door of the house unlocked and open wide 24 / 7
so if there is a once in a lifetime fire, we can escape faster that way"

Any moving of the data should be preceded by an encryption, it can be done
very simple and very fast (Choose from fast protocols like AES, TwoFish or
any other fast encryption)

When a real disaster happens (which luckily
does not happen often) the decryption of the data will happen
simultaneously to rebuilding the server / fixing the disaster : it should
nearly to not impact the re-implementation speed ( in most cases) of the
data, like the claim of your Business Continuity Officer was.

Conclusion:  in this case (without further facts about the data, rescue
timeline, planning of disaster recovery) the lack of security on transported
(physically by courier) confidential data on a day-to-day  basis should be 
outweighing
the single instance of a disaster with ease.

Jacco"Dash"Rorman
"Ad Astra per Administratio Aspera"

original Message ----- 
From: <s0h0us () yahoo com>
To: <security-basics () securityfocus com>
Sent: Monday, August 03, 2009 1:00 PM
Subject: Encryption and Data Retention


> Hi List,
> I'd like your hear your comments regarding the subject of data encryption
> and data retention.
> We are required to keep confidential information for a certain period of
> time, in some cases, for many years. This information is transported
> (physically by courier) offsite to a "disaster recovery" office. This data
> isn't encrypted. The Business Continuity Officer calims that in the event
> of a disaster or business disruption, this information needs to be access
> very quickly so that transactions can resume and minimize business
> downtime. My position is that any information that leaves the building
> needs to be encrypted, and that the likelihood of a disaster is low
> compared to that of unauthorized information disclosure in the event
> something happens in transit..
> I appreciate in advance your experiences and thoughts in this matter.
>
> Thank you!
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company and
> how your customers can tell if a site is secure. You will find out how to
> test, purchase, install and use a thawte Digital Certificate on your
> Apache web server. Throughout, best practices for set-up are highlighted
> to help you ensure efficient ongoing management of your encryption keys
> and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------