LISTSERV - HP3000-L Archives

HP3000-L Archives

July 2007, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L July 2007, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Data Encryption on TurboImage/MPE
From:	Pete Eggers <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Fri, 13 Jul 2007 13:54:42 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (81 lines)

First you need to know what the confidentiality parameters of the data
to be encrypted are.  There is no description of the problem, which
makes most of this discussion nebulous.

What is the cost of loss of confidentiality?  How would your business
be affected by the exposure of the information?

What is the value of the information to parties that would seek the
information?  Who are they?   What resources can they bring to bear?

Where are your vulnerabilities?  Are there more cost effective ways to
ensure confidentiality than encryption?

How do you secure the encryption keys from unauthorized access?  Is
detection of key exposure and duration important?  Cost per unit of
time of exposure?  How do you recover (i.e. re-encrypt data)?  What is
the cost of recovery?

Can the encryption key be lost?  If it is lost, can the data be
recovered?  If the data cannot be recovered, what is the cost to the
business?

When and how to encrypt any business data requires at least cursory
risk analysis.

A standalone system that contains HR information generally requires
confidentiality from all other personnel, including tech staff.  One
of the main uses of encryption.

Internally networked servers generally do not need encrypted
communications, depending on network configuration.

The bottom line is that there is no where enough information presented
here to say that host data encryption is a waste of time, nor enough
information to say that any form of transmission of the data warrants
encryption.  Is this dangerous?  Is this important?  Maybe, maybe not,
the gross lack of information as to the business reason,
vulnerabilities, threats, and general consequences of confidentiality
failure are completely unknown here.

Pete

On 7/13/07, Tracy Johnson <[log in to unmask]> wrote:
> Encryption of data on the host itself is really a waste of time.  Why?  Unless
> there is no access control at the host?
>
> Encryption during transmission between two computers is usually how it is done
> because that is when data is vulnerable.
>
> Larry Page wrote:
> > Mark,
> >
> > Thank you, for the details. We are looking to encrypt one field in some of the datsets that we have, i.e encryption of data in the database. you mention external routines, are there routines readily available which can be used on the MPE? I agree that AES is a better encryption procedure, but programming that will be time consuming, it would be great if there was a pre-tested and packaged routine was avaialbel for MPE.... could you please share your experience on this.... that would be very helpful
> >
> > -Thank you
> >
> --
> BT
>
> Tracy Johnson
> Justin Thyme Productions
> Ye olde free telnet games at:
> http://hp3000.empireclassic.com/
>
>
>
>
>
>
>
> NNNN
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
>

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU