Wake Up and Smell Reality
Posted by Tyler Muth on August 5, 2008
In case you missed the news, yet another laptop with unencrypted Personally Identifiable Information (PII) was lost (though this one was found again, news story here). This type of story is in the news all too often. If you think I’m overreacting, take a look at this Chronology of Data Breaches. You might even look for your organization or organizations that have your data. The intended audience of this blog, DBAs and developers, are often the ones who know the most about how their own organization’s data is stored, so I hope at least a few of you read it and think about security a little bit more. So, here it goes…
- If you are storing unencrypted PII in your database, WAKE UP!
- If you are backing up PII without encrypting it, WAKE UP!
- If you are exporting PII in clear text and sharing it with groups (mainframe extracts come to mind here) WAKE UP!
- If you have any of your customers unencrypted PII on your laptop, WAKE UP!
- If you transport unencrypted PII on a flash drive, seriously, WAKE UP!
- Backups are a prime target, and an easy one to solve. I blogged about RMAN Encrypted Backups, there’s also Oracle Secure Backup (free for a single machine), as well as a plethora of free or for cost file encryption utilities.
- If you don’t need the info, DON’T STORE IT in the first place.
- If you need to say lookup a record using a Social Security Number, but don’t need to display or edit it, store the hash of an SSN using dbms_crypto.mac. You can then hash the search term, then do a simple equality search on hash = hash.
- Use dbms_crypto to programmatically encrypt data if you can.
- Use Transparent Data Encryption if you can’t or don’t have time to change the application code.
- Don’t even think of using SSNs as primary keys. They’ll end up getting propagated to all child tables, and what are you going to do when someone changes their SSN?
- Use TrueCrypt to encrypt a volume on your laptop, or even your whole drive. I’ve been using it on my laptops for 2 years now and it’s always worked flawlessly. It also works on flashdrives.
- Help define policies for protecting sensitive information.
- Talk to your colleagues and managers about concerns you have. Just starting a dialog about security is a huge step in the right direction.
- Pick up a copy of “Effective Oracle Database 10g Security by Design” by David Knox. Yes, David is a friend of mine. No, I don’t get ANY money from this book. Note that of the 10 reviews on Amazon, 9 of them give this book 5 stars! I’ve read it cover to cover and reference it often, it’s such a great resource.