Not having TDE in all editions is stupid

  • Comments posted to this topic are about the item Not having TDE in all editions is stupid

  • :w00t:??? Totally agree!!! The importance of encryption of data at rest (any data, not just SQL-DB) is linearly dependent on the mobility of the medium of said data. Period.

    I've followed your occasional "rantings" about Microsoft's edition/feature-matrix and generally agree with your viewpoints but also sort-of understand Microsoft's difficult position when trying to grab money from those that can afford it. But after the spade of data-loss instances published in the past years (not to speak of those the public never heard about) there just isn't any excuse for Microsoft to NOT provide the hardest security-features on the lightest editions. :angry:

  • Amen, brother!

    Here is a posting on the same subject on my blog back in June 2010:

    http://www.simple-talk.com/community/blogs/johnm/archive/2010/06/21/93146.aspx

  • I agree fully. TDE should be in all editions of SQL Server. When the media gets wind of stolen data from a SQL Server environment, it is bad PR for Microsoft's product. If this PR could have been avoided by providing this functionality at a lower-tiered edition, I would think that would be desirable for all parties.

    It's hard to know what in the heck Microsoft is thinking at times, however.

    Thanks for the editorial,

    Matt

  • I think the stupid decision is to put senstitive information on mobile devices and media. That data needs to be siloed and protected

  • I find myself convoluted regarding this problem.

    Encryption is better performed outside the database in the first place. If you have sensitive data (i.e. credit card information, etc.) that is best encrypted prior to placing the data into a database.

    However, there is data that, in the correct environment, requires no encryption simply for performance purposes, that if made available to the wrong people could be used maliciously. I'm thinking about such data as client lists, Email addresses, data that falls under some sort of privacy regulation, etc.

    In that case, any database capable of containing such data should have the capability of encryption. Especially when it comes to making backups.

    Regarding the laptop scenario, I think there is a bigger issue at large. Not only is your database contents important to keep from intruders, but other data on the laptop as well. In that case, the entire contents of the hard disk should be encrypted. There are tools to do this with little overhead. Using a disk encryption utility resolves the stolen laptop scenario for all data, and I would contend, is a more complete solution.

    IMHO

    Ben

  • I kind of disagree here. In the case of laptops, if there is any sensitive data on there at all--doesn't matter if this is in the form of SQL databases, Office documents, or compromising photos of the CEO from the office Xmas party--then full-disk encryption is the way to go. In addition, one assumes that the laptop does not contain the *only* copy of this data, so there shouldn't be a need to keep local backups of it in any case! TDE is not the right tool for the job in this particular instance.

    That isn't to say that it wouldn't be incredibly useful if TDE were available in more editions of SQL server, of course, just that the quoted example doesn't work IMHO.

  • Steve, I passed your suggestion to the SQLS QA team, with your name as the originator of the idea.

    I am told it will go through monthly triage on Thursday.

  • Couldn't agree with you more.

    I work in an academic clinical research unit; there's a fair amount of extremely sensitive data about; the price difference between standard edition (with generous educational discount, thank you Microsoft) and Enterprise edition (smaller / no discount) is greater in these circumstances.

  • I'm going to have to disagree here. Once of the direct concerns for TDE is the separation of data and hosting instance. In a scenario for laptops and the like, TDE is <nearly> pointless. Full disk encryption is necessary, as mentioned above.

    The idea of TDE on a drive on a machine that's just been lifted being a protection point is minimal, unless your thieves just can't brute force a password for the local sa, which is kinda silly to believe once the machine's in their hands. Sure, it's an additional layer of time, but not really protection until we start low-jacking the portable physical units.

    Now, TDE on standard I would agree should exist, since even small businesses should be worried about their data. A wizard for dummies and basic protection should exist too for those shops.

    For Express because of laptops? That seems a stretch to me.


    - Craig Farrell

    Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

    For better assistance in answering your questions[/url] | Forum Netiquette
    For index/tuning help, follow these directions.[/url] |Tally Tables[/url]

    Twitter: @AnyWayDBA

  • OCTom (12/5/2011)


    I think the stupid decision is to put senstitive information on mobile devices and media. That data needs to be siloed and protected

    You're missing the point. It's not all data on mobile, you might need to access some data, or carry some. Think salespeople; they don't need all customer data, but they might need their data.

    It's not always a connected world, and you can't limit access to data to certain workstations in certain places.

  • paul.knibbs (12/5/2011)


    I kind of disagree here. In the case of laptops, if there is any sensitive data on there at all--doesn't matter if this is in the form of SQL databases, Office documents, or compromising photos of the CEO from the office Xmas party--then full-disk encryption is the way to go. In addition, one assumes that the laptop does not contain the *only* copy of this data, so there shouldn't be a need to keep local backups of it in any case! TDE is not the right tool for the job in this particular instance.

    That isn't to say that it wouldn't be incredibly useful if TDE were available in more editions of SQL server, of course, just that the quoted example doesn't work IMHO.

    Backups are the big issue here with me. I too prefer FDE

  • Revenant (12/5/2011)


    Steve, I passed your suggestion to the SQLS QA team, with your name as the originator of the idea.

    I am told it will go through monthly triage on Thursday.

    Thanks. Not sure if that means I'll get an email from QA or never get an email again from the QA team.

  • Evil Kraig F (12/5/2011)


    For Express because of laptops? That seems a stretch to me.

    Does the inclusion/use of TDE on Express preclude or interfere with FDE? Not sure this is an either/or decision.

  • Steve Jones - SSC Editor (12/5/2011)


    Evil Kraig F (12/5/2011)


    For Express because of laptops? That seems a stretch to me.

    Does the inclusion/use of TDE on Express preclude or interfere with FDE? Not sure this is an either/or decision.

    As far as I know, no. The TDE is software encryption after going through the data-access drivers which get the FDE, which is also a software encryption but is closer to the drive access drivers.

    It's not an either/or. I just don't see the value. I might see value for shops running a lot of shards off Express so there's local SoR downloads from the primary site for data-transfer speeds, with writes back to the main SoR, but not when they can take the physical instance (and the unencryption keys already installed and implemented) along with the files, and just hook said drive into a more robust machine, ready to go with a second drive of all their password crack software. The FDE can block that, TDE can't. Once they break the FDE the TDE is nothing more then a single password away, which is the easiest piece of the hacker concern for anything without foreign lockouts. They can ignore their own firewall whining about failed logins.


    - Craig Farrell

    Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

    For better assistance in answering your questions[/url] | Forum Netiquette
    For index/tuning help, follow these directions.[/url] |Tally Tables[/url]

    Twitter: @AnyWayDBA

Viewing 15 posts - 1 through 15 (of 33 total)

You must be logged in to reply to this topic. Login to reply