Why encryption isn’t always the solution
Recently I had a conversation with someone who shipped a copy of an important financial database offsite to a consultant who was doing some work on it. Immediately my question was why, not only why he shipped it offsite but why it was necessary. This consultant works from home and pretty much refuses to come onsite for anything. There is the option of allowing her access to a machine internally to access the database but for some reason she insisted that she needed a local copy.
Shipping databases with live data offiste is and always has been a big No No for me. I expressed this to the individual to which they said, “I know but it was encrypted.” Lets think about that for a minute. The database being encrypted protects it in transfer, but that is about the extent of it. At that point you are relying on someone else to take the necessary precautions to ensure nothing happens to the data.
- You have no control over her machine which could be infected every which way from Sunday.
- You have no control over who she shares her computer with.
- You have no control over whether she keeps the data encrypted.
- You have no control over whether she carries that data with her on the unencrypted laptop.
- You have no control over whether she makes backup copies on USB drives or other media.
You get my point….
I think this raised an eyebrow because it prompted a phone call to the consultant to ask some of these questions. Turns out she never really thought of this and was actually very surprised to learn that is she lost her laptop anyone with access to the machine could access the data. That level of misunderstanding on how this stuff works makes me a little nervous about entrusting her with data of this nature to begin with.
How about you?
Filed under: Security | Leave a Comment
Tags: consultant, database, encryption, Security, trust