On Wed, 22 May 2013, Steven Kurylo wrote:
How are you encrypting your server's disks, when they contain sensitive information?Are you doing full disk? With auto boot? Or do you use Mandos, or similar? Or enter the password manually for each machine? Or are you not bothering with encryption, and relying on your physical security instead? Though for data which falls under hipaa, I understand it must be encrypted on the server's disk.
Several years ago when I last dug into this field, what we were looking at going with was an appliance that would sit between a SAN/NAS storage device and the systems using it, doing the encryption transparently to the server.
For NAS devices, especially CIFS, this could do a lot of interesting things with user-based restrictions (a backup user could retrieve the file, but would get the encrupted version, while an authorized user would get the decrypted version)
For servers, the problem is that it really doesn't help a lot. It satisfies auditors who say you must encrypt your data. But the only thing it really protects you from is if you loose your hard drives (either someone breaks into your facility and steads drives from the servers or you are careless in disposal of the drives)
Full disk encryption of local drives on the servers would theoretically give you similar protection, except that people are very reluctant to have servers that cannot boot up without human intervention, and for most servers, it's easier to steal (or dispose of) the entire server, and the drives have everything on them needed to decrypt the data, and will probably do so if you were to put them into a similar server and boot up.
David Lang
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
