December 4, 2011 at 6:10 pm
Comments posted to this topic are about the item Not having TDE in all editions is stupid
December 4, 2011 at 11:58 pm
:w00t:??? Totally agree!!! The importance of encryption of data at rest (any data, not just SQL-DB) is linearly dependent on the mobility of the medium of said data. Period.
I've followed your occasional "rantings" about Microsoft's edition/feature-matrix and generally agree with your viewpoints but also sort-of understand Microsoft's difficult position when trying to grab money from those that can afford it. But after the spade of data-loss instances published in the past years (not to speak of those the public never heard about) there just isn't any excuse for Microsoft to NOT provide the hardest security-features on the lightest editions. :angry:
December 5, 2011 at 4:01 am
Amen, brother!
Here is a posting on the same subject on my blog back in June 2010:
http://www.simple-talk.com/community/blogs/johnm/archive/2010/06/21/93146.aspx
December 5, 2011 at 6:22 am
I agree fully. TDE should be in all editions of SQL Server. When the media gets wind of stolen data from a SQL Server environment, it is bad PR for Microsoft's product. If this PR could have been avoided by providing this functionality at a lower-tiered edition, I would think that would be desirable for all parties.
It's hard to know what in the heck Microsoft is thinking at times, however.
Thanks for the editorial,
Matt
December 5, 2011 at 8:16 am
I think the stupid decision is to put senstitive information on mobile devices and media. That data needs to be siloed and protected
December 5, 2011 at 8:32 am
I find myself convoluted regarding this problem.
Encryption is better performed outside the database in the first place. If you have sensitive data (i.e. credit card information, etc.) that is best encrypted prior to placing the data into a database.
However, there is data that, in the correct environment, requires no encryption simply for performance purposes, that if made available to the wrong people could be used maliciously. I'm thinking about such data as client lists, Email addresses, data that falls under some sort of privacy regulation, etc.
In that case, any database capable of containing such data should have the capability of encryption. Especially when it comes to making backups.
Regarding the laptop scenario, I think there is a bigger issue at large. Not only is your database contents important to keep from intruders, but other data on the laptop as well. In that case, the entire contents of the hard disk should be encrypted. There are tools to do this with little overhead. Using a disk encryption utility resolves the stolen laptop scenario for all data, and I would contend, is a more complete solution.
IMHO
Ben
December 5, 2011 at 9:07 am
I kind of disagree here. In the case of laptops, if there is any sensitive data on there at all--doesn't matter if this is in the form of SQL databases, Office documents, or compromising photos of the CEO from the office Xmas party--then full-disk encryption is the way to go. In addition, one assumes that the laptop does not contain the *only* copy of this data, so there shouldn't be a need to keep local backups of it in any case! TDE is not the right tool for the job in this particular instance.
That isn't to say that it wouldn't be incredibly useful if TDE were available in more editions of SQL server, of course, just that the quoted example doesn't work IMHO.
December 5, 2011 at 9:16 am
Steve, I passed your suggestion to the SQLS QA team, with your name as the originator of the idea.
I am told it will go through monthly triage on Thursday.
December 5, 2011 at 9:30 am
Couldn't agree with you more.
I work in an academic clinical research unit; there's a fair amount of extremely sensitive data about; the price difference between standard edition (with generous educational discount, thank you Microsoft) and Enterprise edition (smaller / no discount) is greater in these circumstances.
December 5, 2011 at 9:41 am
I'm going to have to disagree here. Once of the direct concerns for TDE is the separation of data and hosting instance. In a scenario for laptops and the like, TDE is <nearly> pointless. Full disk encryption is necessary, as mentioned above.
The idea of TDE on a drive on a machine that's just been lifted being a protection point is minimal, unless your thieves just can't brute force a password for the local sa, which is kinda silly to believe once the machine's in their hands. Sure, it's an additional layer of time, but not really protection until we start low-jacking the portable physical units.
Now, TDE on standard I would agree should exist, since even small businesses should be worried about their data. A wizard for dummies and basic protection should exist too for those shops.
For Express because of laptops? That seems a stretch to me.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
December 5, 2011 at 9:56 am
OCTom (12/5/2011)
I think the stupid decision is to put senstitive information on mobile devices and media. That data needs to be siloed and protected
You're missing the point. It's not all data on mobile, you might need to access some data, or carry some. Think salespeople; they don't need all customer data, but they might need their data.
It's not always a connected world, and you can't limit access to data to certain workstations in certain places.
December 5, 2011 at 9:57 am
paul.knibbs (12/5/2011)
I kind of disagree here. In the case of laptops, if there is any sensitive data on there at all--doesn't matter if this is in the form of SQL databases, Office documents, or compromising photos of the CEO from the office Xmas party--then full-disk encryption is the way to go. In addition, one assumes that the laptop does not contain the *only* copy of this data, so there shouldn't be a need to keep local backups of it in any case! TDE is not the right tool for the job in this particular instance.That isn't to say that it wouldn't be incredibly useful if TDE were available in more editions of SQL server, of course, just that the quoted example doesn't work IMHO.
Backups are the big issue here with me. I too prefer FDE
December 5, 2011 at 9:58 am
Revenant (12/5/2011)
Steve, I passed your suggestion to the SQLS QA team, with your name as the originator of the idea.I am told it will go through monthly triage on Thursday.
Thanks. Not sure if that means I'll get an email from QA or never get an email again from the QA team.
December 5, 2011 at 9:59 am
Evil Kraig F (12/5/2011)
For Express because of laptops? That seems a stretch to me.
Does the inclusion/use of TDE on Express preclude or interfere with FDE? Not sure this is an either/or decision.
December 5, 2011 at 10:09 am
Steve Jones - SSC Editor (12/5/2011)
Evil Kraig F (12/5/2011)
For Express because of laptops? That seems a stretch to me.Does the inclusion/use of TDE on Express preclude or interfere with FDE? Not sure this is an either/or decision.
As far as I know, no. The TDE is software encryption after going through the data-access drivers which get the FDE, which is also a software encryption but is closer to the drive access drivers.
It's not an either/or. I just don't see the value. I might see value for shops running a lot of shards off Express so there's local SoR downloads from the primary site for data-transfer speeds, with writes back to the main SoR, but not when they can take the physical instance (and the unencryption keys already installed and implemented) along with the files, and just hook said drive into a more robust machine, ready to go with a second drive of all their password crack software. The FDE can block that, TDE can't. Once they break the FDE the TDE is nothing more then a single password away, which is the easiest piece of the hacker concern for anything without foreign lockouts. They can ignore their own firewall whining about failed logins.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
Viewing 15 posts - 1 through 15 (of 33 total)
You must be logged in to reply to this topic. Login to reply