Security Basics mailing list archives
RE: Encrypting data on fileserver
From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Wed, 17 May 2006 15:47:47 -0500
I understand where you are coming from and believe me I have argued the exact same point. Bottom line is that management sees a paper saying we need to encrypt cardholder information. I can scream and yell until I am blue in the face. What will I have accomplished? Only that now I am not a team player and frustrated. With different requirements corporations have to fulfill, there is little room left for common sense and expertise. These values cost too much and too often we apply band aids. Is encrypting our fileserver a band aid? Definitely, we should instead take steps to strip spreadsheets of account information, but this takes resources. The cost benefit of encrypting the fileserver seems like the better choice to people I do not argue with. Thank you for wishing me good luck, I don't think I need it. I will however continue to do the job I was hired to do. If that is encrypting a fileserver then that is what I will do. If we happen to loose the data due to it being encrypted in the future, then my job will be to minimize our losses. I don't see how luck factors in. To make sure you do not see this as a red flag waved in front of you, know that I agree with you. But that matters little since you are not employing me. However should you feel like changing this so we can agree on management practices? You have my email address ;-) Nick Vaernhoej
-----Original Message----- From: Eric Furman [mailto:ericfurman@.net] Sent: Wednesday, May 17, 2006 3:05 PM To: Nick Vaernhoej Cc: security-basics () securityfocus com Subject: RE:Encrypting data on fileserver As I stated earlier, encrypted filesystems carry the potential risk of data loss. You are *much* more likely to lose all of your data from an encryption key being hosed, or one of many other potentially disastrous accidents happening, than in someone walking out of your data center with a server. If someone did that, even if all of your data 'was' encrypted, there is no guarantee that it will stop them. Do you actually imagine that if a group of people were resourceful enough to actually steal a server from a physically secure data center that they are not going to have someone who can over come your encryption scheme? The risks *far* out way the benefits. The above scenario is an absolute fantasy, anyway. Unfortunately, I used to work for a large bank so I understand a large corporations management in strictly adhering to some draconian security policy, even if it doesn't make any sense. Good luck, your going to need it. -- Eric Furman ericfurman@.net
Current thread:
- Re: Encrypting data on fileserver, (continued)
- Re: Encrypting data on fileserver Ow Mun Heng (May 15)
- RE: Encrypting data on fileserver Adrian Floarea (May 15)
- Re: Encrypting data on fileserver Rodrigo Ramos (May 15)
- Re: Encrypting data on fileserver John Punzalan (May 16)
- Re: Encrypting data on fileserver Sven Édouard (May 17)
- RE: Encrypting data on fileserver Ramsdell, Scott (May 15)
- RE: Encrypting data on fileserver David Gillett (May 15)
- RE: Encrypting data on fileserver Nick Vaernhoej (May 16)
- FW: Encrypting data on fileserver Nick Vaernhoej (May 16)
- RE:Encrypting data on fileserver Eric Furman (May 19)
- RE: Encrypting data on fileserver Nick Vaernhoej (May 20)