• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 260
  • Last Modified:

Encryption By Certificate and Security

I'm using SQL Server built in encryption security for some of my Data.  Specifically I'm going to use Certificates because they seem easier to migrate from one server to another.  Fine, no problem, I pretty much understand it all and anything I don't understand I can figure out.  

Here is something I'm not understanding.  Let's say someone breaks into my DB Server and Then breaks into one of my DB's.  They go into a table, see encrypted Credit Card data and then start fishing through my Stored Procedures.  They find the SP's i use to encrypt and decrypt the CC numbers.   Now they know exactly what Cert I use to do this with.  Since they are already in My DB, all they need to do is run my decrypt SP, and they have all those CC numbers.  WHAT AM I MISSING.  I know something in my logic is wrong or else encryption wouldn't be secure really at all.  Explain to me how I need to set this up to stop what I'm talking about from happening or explain to me why what i'm talking about won't happen.

1 Solution
First, there is no such thing as PERFECT security. The idea of all these technologies is making it more difficult for the information to be accessed. I would first hope that no one would be able to gain SA access to your SQL server, because that is another security issue entirely. Your server should be well secured with accounts that have strong passwords and unauthenticated users should never be able to view and definitely not run your SPs. The scenario you are presenting seems like someone that gained physical access to the SQL server and found a sticky note with all the passwords. Let's just assume that isn't going to happen, because if that happens then of course it isn't going to be secured.

Encrypting the data makes it so that no-one can just arbitrarily run queries to your database and extract meaningful information. Perhaps you have heard of SQL injection in web applications, this is where the cert would keep your data safe. Generally encryption is to keep data from being sent as plaintext to the user during standard operation of querying and presenting data.

I don't know how else to put it, but your assuming too much by thinking that someone would be able to get that kind of access to your server, and encryption is not meant to stop someone once they have already compromised you that far.
davidcahanAuthor Commented:
that's all i wanted to hear.  I just wasn't sure how far the encryption was supposed to be able to secure my data.  

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now