locked
Encryption In same Network RRS feed

  • Question

  • Hi,

    My website is hosted on SSL, as per the business rules i need to store some sensitive data in encryption format in database.

    As i have SSL , user inputs from client to web server will be taken care by the SSL in encryption formation. And i have my DB server in the same network.

     

    so my question is , DO I NEED TO ENCRYPT THE DATA FROM WEB SERVER TO DB SERVER ? , which are in the same network ? .

    i thought of Encrypt/Decrypt in the back end.

    But i just want experts suggestions on this, what would be the best practice ?

     

    Thanks

    Tuesday, October 5, 2010 4:37 AM

All replies

  • The best practice would be to start with a threat model and evaluate what threats you are concerned about and then devise the appropriate level of mitigations.

    My personal opinion would be to have the web server encrypt the data before sending it to the database (and decrypting it on retrieval).

    The real question then becomes where/how do you store the key used for encrypting and decrypting. In the past we've used nChiper devices to securely store the keys.

     

     


    Microsoft Test - http://tester.poleyland.com/
    Tuesday, October 5, 2010 3:48 PM