Topic awaiting preservation: Storing sensitive data in a database |
|
---|---|
Author | Thread |
Bipolar (III) Inmate From: Australia |
posted 06-09-2006 03:59
Hi All, |
Maniac (V) Mad Scientist with Finglongers From: Germany |
posted 06-09-2006 10:21
Keep The Server Safe. |
Bipolar (III) Inmate From: Australia |
posted 06-09-2006 11:05
Fair enough, I guess its a bit more concerning its shared hosting but its pretty hard to control everything. |
Maniac (V) Mad Scientist From: :morF |
posted 06-09-2006 15:35
In IT there's a term for this: healthy paranoia. You know that something bad will happen. You don't know who, specifically, will do it, why, how, or what they might be after. So you try and analyse what you have to try and figure out what might be targetted and what might not be, how they might get in (within reason) and from there you figure out wht precautions you can take. Remeber that there's no such thing as 100% secure. The only computer which is 100% secure is the one that is never turned on, never plugged in, and, frankly, never even built. So then you weigh up your security measures, against the detriment they make to your service. Every security measure you put in place adds another step to the process, and adds more latency to the result. You can encrypt every bit of data used in the site, but then every time it has to be used (ie: every time someone accesses the site) it has to be decrypted again. And where do you store the keys? You could have 1024 bit encryption if you wish, but if someone can get the key, you may as well be sending clear text. It's making the distinction between data that is really sensitive, and what you can replace if it's vandalised, and what doesn't really matter. |
Bipolar (III) Inmate From: Australia |
posted 06-09-2006 16:55
Yeh thanks skaarj, your example sounds exactly what I might do, most of it I already do except for some very basic encryption on some personal information, that and making sure we only store personal information that we need. |
Maniac (V) Mad Scientist From: 100101010011 <-- right about here |
posted 06-09-2006 18:29
Well most DB's have some form of encyption available like so |
Maniac (V) Mad Scientist with Finglongers From: Germany |
posted 06-10-2006 13:03
On a side note - don't store anything you don't have to. |
Bipolar (III) Inmate From: Australia |
posted 06-10-2006 14:19
Yeh i mentioned that... its a catch 22 though - if you store those details it makes things easier for the user as they dont have to enter their shipping details everytime - which most people would find annoying. |
Bipolar (III) Inmate From: Australia |
posted 06-10-2006 14:28
Having said that address arent exactly sensitive information these days, and stores always need to connect their orders to shipping addresses etc for a paper trail. |