[ale] [OT] TDE - effective, theatre or in between?

David Tomaschik david at systemoverlord.com
Fri Aug 9 16:24:13 EDT 2013


On Fri, Aug 9, 2013 at 12:36 PM, Sid Lane <jakes.dad at gmail.com> wrote:
> can anyone cite a known PII/PHI breach which all else equal TDE would have
> prevented?  if not can you describe such a hypothetical breach (again, all
> else equal)?  no points for lost unencrypted backups - that's operator error
> & trivially avoided..
>
> I've been tasked with developing & deploying a database encryption strategy
> for HIPAA-governed PHI & have lots of people touting M$ and/or Oracle TDE.
> I've put a fair bit of effort into studying each and I'm having a hard time
> envisioning actual vectors and/or real world attacks against which they
> would protect (again, all else equal).  as near as I can tell they DO
> guarantee that your backups are encrypted which does have merit but there
> are dozens of non-TDE (virtually all far cheaper) to encrypt a database
> backup.  additionally, as near as I can tell they decrypt into shared memory
> & may (but don't require) re-encrypt for transport (SSL to client).  am I
> wrong on these points?
>
> I was on a call today w/a vendor where it was asked:  "well, what if they
> physically steal your server?"  to which I replied:  "well, they'd have a
> nice doorstop since database is on SAN" which naturally begged:  "well, what
> if they steal your SAN?" - um, if someone's able to steal a multi-cabinet
> VSP in under four hours without at least six people & a palette jack & get
> it off your dock then database encryption (or lack thereof) may not be your
> highest priority...

What if they compromise another server on the SAN & compromise the
access control on the SAN?  They can then read whatever they want from
the SAN and exfiltrate it...  Unlikely?  maybe.  Also means that
failed hard drives pulled from the SAN only contain encrypted garbage,
and doesn't contain PII/PHI that's trivially extracted.  (Though your
SAN may support FDE that covers that case.)

I'm personally not convinced that TDE offers benefits over FDE on the
underlying device, if you have that capability, but I also don't deal
with Oracle or MSSQL.

> I realize we're probably still going to have to do it anyway to appease
> auditors, govt, etc - I just want to know if there's something I'm missing
> that will convince me this is substantive & not theatre...
>
> thanks!



-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com


More information about the Ale mailing list