[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    RE: Encrypting data on fileserver
From:       "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices ! com>
Date:       2006-05-17 20:47:47
Message-ID: 3D94E33E401C5245AD069E39A80EAEF10128476A () sf2k3026 ! capital ! net
[Download RAW message or body]

I understand where you are coming from and believe me I have argued the
exact same point. Bottom line is that management sees a paper saying we
need to encrypt cardholder information. I can scream and yell until I am
blue in the face. What will I have accomplished? Only that now I am not
a team player and frustrated.

With different requirements corporations have to fulfill, there is
little room left for common sense and expertise. These values cost too
much and too often we apply band aids. Is encrypting our fileserver a
band aid? Definitely, we should instead take steps to strip spreadsheets
of account information, but this takes resources. The cost benefit of
encrypting the fileserver seems like the better choice to people I do
not argue with.

Thank you for wishing me good luck, I don't think I need it. I will
however continue to do the job I was hired to do. If that is encrypting
a fileserver then that is what I will do. If we happen to loose the data
due to it being encrypted in the future, then my job will be to minimize
our losses. I don't see how luck factors in.

To make sure you do not see this as a red flag waved in front of you,
know that I agree with you. But that matters little since you are not
employing me. However should you feel like changing this so we can agree
on management practices? You have my email address ;-)

Nick Vaernhoej

>-----Original Message-----
>From: Eric Furman [mailto:ericfurman@.net] 
>Sent: Wednesday, May 17, 2006 3:05 PM
>To: Nick Vaernhoej
>Cc: security-basics@securityfocus.com
>Subject: RE:Encrypting data on fileserver
>
>As I stated earlier, encrypted filesystems carry the potential risk
>of data loss. You are *much* more likely to lose all of your data
>from an encryption key being hosed, or one of many other potentially
>disastrous accidents happening, than in someone walking out of your
>data center with a server. If someone did that, even if all of your
>data 'was' encrypted, there is no guarantee that it will stop them.
>Do you actually imagine that if a group of people were resourceful
>enough to actually steal a server from a physically secure data
>center that they are not going to have someone who can over come
>your encryption scheme? The risks *far* out way the benefits.
>The above scenario is an absolute fantasy, anyway.
>Unfortunately, I used to work for a large bank so I understand a large
>corporations management in strictly adhering to some draconian
>security policy, even if it doesn't make any sense.
>Good luck, your going to need it.
>-- 
>  Eric Furman
>  ericfurman@.net

[prev in list] [next in list] [prev in thread] [next in thread]