[Hidden-tech] New Massachusetts Encryption Law

[Graham Clarke]

We've had to do data encryption for banking and health care.  Here are a 
couple of lessons learned:

1) live two way encryption is a lot different than just encrypting 
backed up data
2) the cost of application security is more exponential than linear
3) encryption and decryption can impose a large performance penalty on 
your application. 
5) how good is good enough?  the stronger the encryption the larger the 
more horsepower you need
6) data encryption is only 1 piece of your application security.  
locking the doors is silly if you leave all the windows open or leave 
the keys under the door mat.  do a system wide security evaluation
7) what are the industry standards? PCI for credit cards -- 
https://www.pcisecuritystandards.org/, HIPAA, etc ...
8) harden your servers

hope this helps,

Graham

-- 
Graham Clarke
53 Technology

+ www.53tech.com
+ grahamc at 53tech.com
+ 603-643-9955



aevans1958 at aol.com wrote:
>    ** Be sure to fill out the survey/skills inventory in the member's area.
>    ** If you did, we all thank you.
>
>
>   
>
> ------------------------------------------------------------------------
>
> I consult for the Massachusetts State Racing Commission and was 
> recently asked to revise programs written in Visual Basic which store 
> data in Access to encrypt private data.
> This request was in direct response to the new encryption law.  I will 
> be looking into how best do this, and would welcome thoughts/suggestions.
>
> - Arthur Evans
>
>
> -----Original Message-----
> From: Roger Williams <roger at qux.com>
> To: David Korpiewski <davidk at cs.umass.edu>
> Cc: hidden-discuss at lists.hidden-tech.net
> Sent: Thu, 26 Feb 2009 12:17 pm
> Subject: Re: [Hidden-tech] New Massachusetts Encryption Law
>
>    ** Be sure to fill out the survey/skills inventory in the member's area.
>    ** If you did, we all thank you.
>
>
> >>>>> David Korpiewski <davidk at cs.umass.edu <mailto:davidk at cs.umass.edu>> writes:
>
>   > I was just notified about a new Massachusetts data encryption law that is
>   > going into effect May 1, 2009.  It is pretty harsh and requires all data
>   > with personal information to be encrypted, even on backup tapes.
>
> IMHO, 201 CMR 17.00 is long overdue.
>
> Fortunately for folks responsible for implementing it, on 2/12 the Mass Office
> of Consumer Affairs and Business Regulation issued a few amendments -- and
> another extension.
>
> Under the extension, the rules will now take effect 1 January 2010.
>
> (The amendments make the standard for third party vendor relationships more
> reasonable, and -- for some unknown reason -- omit the requirement for
> encryption to personal data transmitted over public networks or wireless
> communications.)
>
> -- 
> Roger Williams <roger at qux.com <mailto:roger at qux.com>>
> Chief Technical Officer, Qux Corporation
> 433 West Street, Suite 8, Amherst, MA 01002, USA
> Tel +1 413 253-6400 * Fax +1 508 302-0230 * GSM +1 508 287-1420
> _______________________________________________
> Hidden-discuss mailing list - home page: http://www.hidden-tech.net <http://www.hidden-tech.net/>
> Hidden-discuss at lists.hidden-tech.net <mailto:Hidden-discuss at lists.hidden-tech.net>
>
> You are receiving this because you are on the Hidden-Tech Discussion list.
> If you would like to change your list preferences, Go to the Members   
> page on the Hidden Tech Web site.
> http://www.hidden-tech.net/members
>
> ------------------------------------------------------------------------
> *A Good Credit Score is 700 or Above. See yours in just 2 easy steps! 
> <http://pr.atwola.com/promoclk/100126575x1218822736x1201267884/aol?redir=http:%2F%2Fwww.freecreditreport.com%2Fpm%2Fdefault.aspx%3Fsc%3D668072%26hmpgID%3D62%26bcd%3DfebemailfooterNO62>* 
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> Hidden-discuss at lists.hidden-tech.net
>
> You are receiving this because you are on the Hidden-Tech Discussion list.
> If you would like to change your list preferences, Go to the Members   
> page on the Hidden Tech Web site.
> http://www.hidden-tech.net/members