November 8, 2010 at 12:24 pm
I was wondering if anyone has any suggestions on some good third party tools for encrypting SQL databases besides the built in functionality of SQL 2008 Enterprise. The reason is due to PCI compliance. Encrypting within SQL itself is not completely secure as any members of the sysadmin role can decrypt data. For most sensitive stuff, that's fine, but at this level with PCI, we need something thorough.
Currently, we are using Safenet (formerly Ingrian) and it has been behaving well. However, the current hardware will soon be out of support and I am looking at alternatives to Safenet that are a) cheaper (directive from boss), b) just as easy to configure, and c) just as secure by using external hardware to do the encryption.
Anyone here use other external encryption devices or know where I can find some reviews on them?
Thanks.
Gaby
________________________________________________________________
"In theory, theory and practice are the same. In practice, they are not."
- Albert Einstein
November 8, 2010 at 2:48 pm
We wrote our own encryption classes in .NET using the cryptographic objects/methods. This gave us the ability use our own key management, and be able to encrypt/decrypt data from (T-SQL) SQL Server as well as from external .NET procedures and web pages.
The thing I don't like about SQL server encryption is that there is no way to reproduce the encryption results external to SQL server. By implementing our own encryption methods as CLR function we can do it both ways and control access to data and methods by granting permissions.
The probability of survival is inversely proportional to the angle of arrival.
November 11, 2010 at 11:40 am
sturner (11/8/2010)
We wrote our own encryption classes in .NET using the cryptographic objects/methods. This gave us the ability use our own key management, and be able to encrypt/decrypt data from (T-SQL) SQL Server as well as from external .NET procedures and web pages.The thing I don't like about SQL server encryption is that there is no way to reproduce the encryption results external to SQL server. By implementing our own encryption methods as CLR function we can do it both ways and control access to data and methods by granting permissions.
I'd love to do it this way, but one caveat is this has to be PCI compliant and certified as such for our auditors.
Gaby
________________________________________________________________
"In theory, theory and practice are the same. In practice, they are not."
- Albert Einstein
November 11, 2010 at 11:47 am
It uses the same .NET encryption API that SQL Server does (part of the operating system). Its just that SQL server has its own undocumented preamble for randomization that makes it so you cannot decrypt something outside of the the TSQL encryption functions. Personally I see that as a limitation.
The probability of survival is inversely proportional to the angle of arrival.
November 15, 2010 at 1:27 pm
GabyYYZ (11/11/2010)
sturner (11/8/2010)
We wrote our own encryption classes in .NET using the cryptographic objects/methods. This gave us the ability use our own key management, and be able to encrypt/decrypt data from (T-SQL) SQL Server as well as from external .NET procedures and web pages.The thing I don't like about SQL server encryption is that there is no way to reproduce the encryption results external to SQL server. By implementing our own encryption methods as CLR function we can do it both ways and control access to data and methods by granting permissions.
I'd love to do it this way, but one caveat is this has to be PCI compliant and certified as such for our auditors.
My last company did something similar to this and it was accepted as PCI compliant..
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply