Optimizing Protected Indexes

•Download as PPTX, PDF•

0 likes•448 views

This document discusses different methods for encrypting and protecting data at rest and in transit. It compares hashing and encryption techniques, and evaluates them based on requirements like encrypting data at the object level while allowing decryption, avoiding changes to application code, and minimizing performance impacts. The document demonstrates encryption using a hash grouping technique on sample data and discusses options like salting hashes to improve security. It also highlights that new technologies may eventually crack encryption algorithms and that encryption standards will need to evolve over time.

Technology

Optimizing
Protected
Indexes
aka: “Indexing” encrypted data

Agenda
• Scenarios of data exposure
• Data in transit vs. Data at rest
• Discuss personal experience
• Hash or Encryption – How to choose?
• Demo #1
• Discuss how to improve
• Demo #2
• Final summary and questions
http://reedbookmanreunion.com/images/agenda.jpg

50 million users
may have been compromised
Name, email, address, “encrypted” passwords

4.7 million SSN
3.3 million bank account #s

“While encryption of data at rest is an effective defense-in-depth
technique, encryption is not currently required for FTI
(Federal Tax Information) while it resides on a system (e.g., in files
or in a database) that is dedicated to receiving, processing, storing
or transmitting FTI, is configured in accordance with the IRS
Safeguards Computer Security Evaluation Matrix (SCSEM)
recommendations and is physically secure restricted area behind
two locked barriers. This type of encryption is being evaluated by
the IRS as a potential policy update in the next revision of the
Publication 1075.”

Data at rest is not required to be encrypted
http://www.irs.gov/uac/Encryption-Requirements-of-IRS-Publication-1075

http://www.petapixel.com/assets/uploads/2009/12/Storybook-Wolf-by-Jose-Lu-0011.jpg

 Data at object level had to be protected

 Had to be able to decrypt the value
 No change to existing application code, SQL code ok
 Minimal Impact on performance

http://shawnram.files.wordpress.com/2010/10/criteria1.jpg

http://www.thephatstartup.com/wp-content/uploads/2012/08/dont-worry-i-got-this.jpg

Does:
• Encrypt the MDF and LDF files via symmetric key
• Encrypt files and trans log for log shipped / mirrored
• Affect performance since tempdb is encrypted too

Does not:
•
•
•
•
•
•

encrypt data at the object level.
support instant file initialization for database files.
interact well with backup compression.
encrypt read only filegroups.
encrypt databases used in replication topologies.
encrypt filestream data.

HASH!!
http://www.thesouthinmymouth.com/wp-content/uploads/2012/01/corned-beef-hash.jpg

Salt your Hashes

http://www.f1online.pro/en/image-details/4832529.html

http://kingdombard.files.wordpress.com/2010/06/one_way_by_cellogirl19.jpg

http://www.swiss-banking-antiques.com/images/bbposte60mmperspective-750.png

http://cdn.zmescience.com/wp-content/uploads/2012/12/fresh-sliced-bread.jpg

Options?

http://www.miamism.com/wp-content/uploads/m/blogs/miamism/options.jpg

Hash Grouping
Generate a value
From a hash algorithm
and store only the end
result value.

http://kennybriscoe.com/wp-content/uploads/2011/02/lightbulb-idea.jpg

New GPU systems
crack 14 character passwords
in about 6 minutes

Potential breaking times of various Hash Algorithms:
• SHA1: 63G / sec
• LM: 20G / sec
• Bcrypt: 71k /sec
*Not been able to find stats for AES_256 (SQL Encryption)
because no one is really bothering to try
http://www.club-3d.com/tl_files/club3d/uploads/en/content/Technology/AMD/CrossFireX/3waycrossfire.png

http://imgix.8tracks.com/mix_covers/000/593/175/94743.original.jpg?fm=jpg&q=65&sharp=15&vib=10&w=521&h=521&fit=crop

@CBELLDBA

Chris@WaterOxConsulting.com

www.WaterOxConsulting.com

Image by: Master isolated images on www.freedigitalphotos.net

This paper explores two questions: What methods can be used to deceive someone who is in an investigative role into trusting an object which has been exploited? What kind of impact does operating system and application run-time linking have on live investigations? After experimenting with dynamic object dependencies and kernel modules in the UNIX environment, it is the opinion of the authors that run-time linking can be exploited to alter the execution of otherwise trusted objects. This can be accomplished without having to modify the objects themselves. If an investigator trusts an inherently un-trusted object, it can result in the possible misdirection of a digital investigation.

Computer ForensicTawhidur Rahman

Anti forensicMilap Oza

Deep Web and Digital Investigations

Damir Delija

Draft current state of digital forensic and data science

Damir Delija

In this presentation we will introduce current state of digital forensics, its positioning in general IT security and relations with data science and data analyses. Many strong links exist among this technical and scientific fields, usually this links are not taken into consideration. For data owners, forensic researchers and investigators this connections and data views presents additional hidden values.

Digital forensics Steps

gamemaker762

Download DOC word file from below Links: Link 1 :http://gestyy.com/eiT4WO Link 2: http://fumacrom.com/RQUm Disclaimer: Above doc file is only for education purpose only Process of Digital forensics Identification Preservation Analysis 4. Presentation and Reporting: 5. Disseminating the case: What is acquisition in digital forensics? How to handle data acquisition in digital forensics Types of Digital Forensics Disk Forensics Network Forensics Wireless Forensics Database Forensics

Dama - Protecting Sensitive Data on a Database

johanswart1234

Digital forensics track schroader-rob when forensics collide

ISSA LA

Crowdsourcing Speech Data Science and AI

Crowdsourcing Week

O365Con18 - Threat Modeling for SharePoint - Ivan Vagunin

NCCOMMS

Opentext Decisiv

Marc St-Pierre

In today’s increasingly competitive world, accelerated speed to identifying relevant and hidden knowledge, internal expertise and experience is critical to meeting client demands, securing new clients and cases, reviewing precedents and outcomes and leveraging collective IP for the strategic advantage. OpenText Decisiv instantly finds, organizes, and helps gain insights from your data for the competitive advantage. To learn more, email salt@opentext.com

SujitSujit George

Content Disarm Reconstruction & Cyber Kill Chain

Muhammad Sahputra

How to break the delivery stage of cyber kill chain was the main topic I delivered last sunday during IDSECCONF 2018 in Malang. Cyber kill chain wasn’t new at all, it was there since long time, the term popularized by lockheed martin few years ago to help industry identify methodology / technology to prevent cyber attack. I covered signatured based malware detection, sandboxing, artificial intelligence, and introducing “content disarm reconstruction” in details. IDSECCONF is always about contributing back to community since we learnt from community many years ago. I hope what I’ve learn from Industry related to CDR technology can be beneficial to the Indonesian IT security community.

Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra

idsecconf

Trust in a Digital World

itnewsafrica

Digital Finance Africa 2022 - https://itnewsafrica.com/event/ -hosted by IT News Africa is the definitive annual event on technology leadership in the financial services industry. It asks the hard questions not asked in other conferences, and identifies the skills required to steer a course in an age where the entire industry is transforming rapidly. This is a Summit for bold, visionary leaders who are willing to take calculated risks as much as they are willing to consolidate, who know what to give up as much as what they expect to gain.

Data base system.pptx

MrwafaAbbas

Web & Cloud Security in the real world

Madhu Akula

What's hot

Digital Forensics Projects Assistance

Network Simulation Tools

WWW.DSS.LV - Data Protection Basics 2015 - DeviceLock

Andris Soroka

Five steps to secure big data

Ulf Mattsson

Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar

Digital Forensics Workshop

Tim Fletcher

Digital Anti-Forensics: Emerging trends in data transformation techniques

Seccuris Inc.

Computer ForensicTawhidur Rahman

Anti forensicMilap Oza

Deep Web and Digital Investigations

Damir Delija

Draft current state of digital forensic and data science

Damir Delija

Digital forensics Steps

gamemaker762

Dama - Protecting Sensitive Data on a Database

johanswart1234

Digital forensics track schroader-rob when forensics collide

ISSA LA

Crowdsourcing Speech Data Science and AI

Crowdsourcing Week

O365Con18 - Threat Modeling for SharePoint - Ivan Vagunin

NCCOMMS

Opentext Decisiv

Marc St-Pierre

SujitSujit George

What's hot (17)

Digital Forensics Projects Assistance

WWW.DSS.LV - Data Protection Basics 2015 - DeviceLock

Five steps to secure big data

Digital Forensics best practices with the use of open source tools and admiss...

Digital Forensics Workshop

Digital Anti-Forensics: Emerging trends in data transformation techniques

Computer Forensic

Anti forensic

Deep Web and Digital Investigations

Draft current state of digital forensic and data science

Digital forensics Steps

Dama - Protecting Sensitive Data on a Database

Digital forensics track schroader-rob when forensics collide

Crowdsourcing Speech Data Science and AI

O365Con18 - Threat Modeling for SharePoint - Ivan Vagunin

Opentext Decisiv

Sujit

Similar to Optimizing Protected Indexes

Content Disarm Reconstruction & Cyber Kill Chain

Muhammad Sahputra

Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra

idsecconf

Trust in a Digital World

itnewsafrica

Data base system.pptx

MrwafaAbbas

Web & Cloud Security in the real world

Madhu Akula

Využijte svou Oracle databázi na maximum!

MarketingArrowECS_CZ

Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...

Databricks

Asug84339 how to secure privacy data in a hybrid s4 hana landscape

Dharma Atluri

Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...

HostedbyConfluent

Mitigating One Million Security Threats With Kafka and Spark With Arun Janarthnam | Current 2022 Citrix Analytics (Security), a user behavior analytics service, protects 100’s of companies from risks and threats posed by users. The service processes 3 billion events per day and can identify security threats in under a minute. Kafka is the backbone of our real-time platform. It seamlessly glues the numerous stages required for ETL, Feature Extraction, Model Training & Serving, data access etc and enables us to develop new products faster. In this session, we will talk about how, in the last 6 months, 7M risk indicators were triggered and 1M threat mitigating actions were taken, and the integral role Kafka played in achieving it. We would also like to share some interesting ways Kafka is used at Citrix. Like, how topics are auto provisioned, and security is handled in a multi-tenant, public facing “northbound” Kafka cluster and the Kafka + Spark optimizations that reduced the cost of running 100’s of streaming jobs.

Application of Machine Learning in Cybersecurity

Pratap Dangeti

Essential Layers of IBM i Security: File and Field Security

Precisely

Extending Information Security to Non-Production Environments

LindaWatson19

Understanding Database Encryption & Protecting Against the Insider Threat wit...MongoDB

Data Leakage Prevention

Microsoft TechNet - Belgium and Luxembourg

Hadoop and Big Data Security

Chicago Hadoop Users Group

Where to Store the Cloud Encryption Keys - InterOp 2012

Trend Micro

DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...

DataStax

This talk will review the advanced security features in DataStax Enterprise and discuss best practices for secure deployments. In particular, topics reviewed will cover: Authentication with Kerberos & LDAP/Active Directory, Role-based Authorization and LDAP role assignment, Auditing, Securing network communication, Encrypting data files and using the Key-Management Interoperability Protocol (KMIP) for secure off-host key management. The talk will also suggest strategies for addressing security needs not met directly by the built-in features of the database such as how to address applications that require Attribute Based Access Control (ABAC). About the Speaker Matt Kennedy Sr. Product Manager, DataStax Matt Kennedy works at DataStax as the product manager for DataStax Enterprise Core. Matt has been a Cassandra user and occasional contributor since version 0.7 and was named a Cassandra MVP in 2013 shortly before joining DataStax. Unlike Cassandra, Matt is not partition tolerant.

MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...

MongoDB

Many applications with high-sensitivity workloads require enhanced technical options to control and limit access to confidential and regulated data. In some cases, system requirements or compliance obligations dictate a separation of duties for staff operating the database and those who maintain the application layer. In cloud-hosted environments, certain data are sometimes deemed too sensitive to store on third-party infrastructure. This is a common pain for system architects in the healthcare, finance, and consumer tech sectors — the benefits of managed, easily expanded compute and storage have been considered unavailable because of data confidentiality and privacy concerns. This session will take a deep dive into new security capabilities in MongoDB 4.2 that address these scenarios, by enabling native client-side field-level encryption, using customer-managed keys. We will review how confidential data can be securely stored and easily accessed by applications running on MongoDB. Common query design patterns will be presented, with example code demonstrating strong end-to-end encryption in Atlas or on-premise. Implications for developers and others designing systems in regulated environments will be discussed, followed by a Q&A with senior MongoDB security engineers.

Beware the Firewall My Son: The Workshop

Michele Chubirka

Nothing strikes fear into the heart of an engineer more than the installation of a firewall to achieve the laudable goal of defense-in-depth through network segmentation. Security teams demand the implementation of firewalls telling everyone, “It’s for compliance!” But the addition of firewalls and other security appliances (aka chokepoints) into an infrastructure infuriates network engineers who design to optimize speed and minimize latency. Sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. So it’s down the rabbit hole we go trying to achieve the unachievable with everyone waxing rhapsodic for those bygone days when the end-to-end principle ruled the Internet. Is it really possible to have security coexist with operational efficiency? Organizations seem happy to throw money at technology and operations, but when it comes to policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As engineers, if we don’t have clear policies as a set of requirements, how will we determine the appropriate network segmentation and protections to put in place? The answer lies in aligning network segmentation with an organizational data classification matrix and understanding that while compliance and security often overlap, they’re not the same.

Expand Your Control of Access to IBM i Systems and Data

Precisely

Controlling all the ways your company’s data is being accessed, especially given the proliferation of open source software and other non-traditional data-access methods, is critical to ensuring security and regulatory compliance. This webinar reviews the different ways your data can be accessed, discusses how exit points work and how they can be managed, and why a global data access control strategy is especially important to efficiently protect sensitive data against unwanted access. Topics include: • IBM i access methods and risks • Using exit programs to block traditional and modern access methods • Real life examples and perspectives

Similar to Optimizing Protected Indexes (20)

Content Disarm Reconstruction & Cyber Kill Chain

Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra

Trust in a Digital World

Data base system.pptx

Web & Cloud Security in the real world

Využijte svou Oracle databázi na maximum!

Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...

Asug84339 how to secure privacy data in a hybrid s4 hana landscape

Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...

Application of Machine Learning in Cybersecurity

Essential Layers of IBM i Security: File and Field Security

Extending Information Security to Non-Production Environments

Understanding Database Encryption & Protecting Against the Insider Threat wit...

Data Leakage Prevention

Hadoop and Big Data Security

Where to Store the Cloud Encryption Keys - InterOp 2012

DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...

MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...

Beware the Firewall My Son: The Workshop

Expand Your Control of Access to IBM i Systems and Data

Recently uploaded

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

Peter Spielvogel

Building better applications for business users with SAP Fiori. • What is SAP Fiori and why it matters to you • How a better user experience drives measurable business benefits • How to get started with SAP Fiori today • How SAP Fiori elements accelerates application development • How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities • How SAP Fiori paves the way for using AI in SAP apps

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

Communications Mining Series - Zero to Hero - Session 1

DianaGray10

This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered: • Communication Mining Overview • Why is it important? • How can it help today’s business and the benefits • Phases in Communication Mining • Demo on Platform overview • Q/A

A tale of scale & speed: How the US Navy is enabling software delivery from l...

sonjaschweigert1

Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved: - Reduction in onboarding time from 5 weeks to 1 day - Improved developer experience and productivity through actionable findings and reduction of false positives - Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO) Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production. We will cover: - How to remove silos in DevSecOps - How to build efficient development pipeline roles and component templates - How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence) - How to streamline operations with automated policy checks on container images

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

nkrafacyberclub

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Recently uploaded (20)

National Security Agency - NSA mobile device best practices

Video Streaming: Then, Now, and in the Future

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

Elevating Tactical DDD Patterns Through Object Calisthenics

Communications Mining Series - Zero to Hero - Session 1

A tale of scale & speed: How the US Navy is enabling software delivery from l...

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

Introduction to CHERI technology - Cybersecurity

20240605 QFM017 Machine Intelligence Reading List May 2024

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

By Design, not by Accident - Agile Venture Bolzano 2024

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

FIDO Alliance Osaka Seminar: Overview.pdf

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

20240607 QFM018 Elixir Reading List May 2024

Optimizing Protected Indexes

1. Optimizing Protected Indexes aka: “Indexing” encrypted data

2. Comic from Dilbert.com

3. Agenda • Scenarios of data exposure • Data in transit vs. Data at rest • Discuss personal experience • Hash or Encryption – How to choose? • Demo #1 • Discuss how to improve • Demo #2 • Final summary and questions http://reedbookmanreunion.com/images/agenda.jpg

4. 50 million users may have been compromised Name, email, address, “encrypted” passwords

5. 4.7 million SSN 3.3 million bank account #s

6. “While encryption of data at rest is an effective defense-in-depth technique, encryption is not currently required for FTI (Federal Tax Information) while it resides on a system (e.g., in files or in a database) that is dedicated to receiving, processing, storing or transmitting FTI, is configured in accordance with the IRS Safeguards Computer Security Evaluation Matrix (SCSEM) recommendations and is physically secure restricted area behind two locked barriers. This type of encryption is being evaluated by the IRS as a potential policy update in the next revision of the Publication 1075.” Data at rest is not required to be encrypted http://www.irs.gov/uac/Encryption-Requirements-of-IRS-Publication-1075

7. 94 million credit cards

10. Data in Transit

11. Data at Rest

12. http://www.petapixel.com/assets/uploads/2009/12/Storybook-Wolf-by-Jose-Lu-0011.jpg

13. Change is coming

14.

15.  Data at object level had to be protected  Had to be able to decrypt the value  No change to existing application code, SQL code ok  Minimal Impact on performance http://shawnram.files.wordpress.com/2010/10/criteria1.jpg

16. http://www.thephatstartup.com/wp-content/uploads/2012/08/dont-worry-i-got-this.jpg

17. What method?

18. Does: • Encrypt the MDF and LDF files via symmetric key • Encrypt files and trans log for log shipped / mirrored • Affect performance since tempdb is encrypted too Does not: • • • • • • encrypt data at the object level. support instant file initialization for database files. interact well with backup compression. encrypt read only filegroups. encrypt databases used in replication topologies. encrypt filestream data.

19.  Data at object level had to be protected  Had to be able to decrypt the value  No change to existing application code, SQL code ok  Minimal Impact on performance http://shawnram.files.wordpress.com/2010/10/criteria1.jpg

20. HASH!! http://www.thesouthinmymouth.com/wp-content/uploads/2012/01/corned-beef-hash.jpg

21. Salt your Hashes http://www.f1online.pro/en/image-details/4832529.html

22. http://kingdombard.files.wordpress.com/2010/06/one_way_by_cellogirl19.jpg

23. Collisions

24.  Data at object level had to be protected  Had to be able to decrypt the value  No change to existing application code, SQL code ok  Minimal Impact on performance http://shawnram.files.wordpress.com/2010/10/criteria1.jpg

25. Encryption

26.

27. http://www.swiss-banking-antiques.com/images/bbposte60mmperspective-750.png http://cdn.zmescience.com/wp-content/uploads/2012/12/fresh-sliced-bread.jpg

28. DEMO

29.  Data at object level had to be protected  Had to be able to decrypt the value  No change to existing application code, SQL code ok  Minimal Impact on performance http://shawnram.files.wordpress.com/2010/10/criteria1.jpg

30. Options? http://www.miamism.com/wp-content/uploads/m/blogs/miamism/options.jpg

31.

32. Hash Grouping Generate a value From a hash algorithm and store only the end result value. http://kennybriscoe.com/wp-content/uploads/2011/02/lightbulb-idea.jpg

33.

34.  Data at object level had to be protected  Had to be able to decrypt the value  No change to existing application code, SQL code ok  Minimal Impact on performance http://shawnram.files.wordpress.com/2010/10/criteria1.jpg

35. SUCCESS!

36. New GPU systems crack 14 character passwords in about 6 minutes Potential breaking times of various Hash Algorithms: • SHA1: 63G / sec • LM: 20G / sec • Bcrypt: 71k /sec *Not been able to find stats for AES_256 (SQL Encryption) because no one is really bothering to try http://www.club-3d.com/tl_files/club3d/uploads/en/content/Technology/AMD/CrossFireX/3waycrossfire.png

37. http://imgix.8tracks.com/mix_covers/000/593/175/94743.original.jpg?fm=jpg&q=65&sharp=15&vib=10&w=521&h=521&fit=crop

38. @CBELLDBA Chris@WaterOxConsulting.com www.WaterOxConsulting.com Image by: Master isolated images on www.freedigitalphotos.net

Optimizing Protected Indexes

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Similar to Optimizing Protected Indexes

Similar to Optimizing Protected Indexes (20)

Recently uploaded

Recently uploaded (20)

Optimizing Protected Indexes