[Hidden-tech] New Massachusetts Encryption Law
Chris Hoogendyk
hoogendyk at bio.umass.edu
Fri Feb 27 16:55:59 EST 2009
Graham Clarke wrote:
> We've had to do data encryption for banking and health care. Here are
> a couple of lessons learned:
>
> 1) live two way encryption is a lot different than just encrypting
> backed up data
> 2) the cost of application security is more exponential than linear
> 3) encryption and decryption can impose a large performance penalty on
> your application. 5) how good is good enough? the stronger the
> encryption the larger the more horsepower you need
> 6) data encryption is only 1 piece of your application security.
> locking the doors is silly if you leave all the windows open or leave
> the keys under the door mat. do a system wide security evaluation
> 7) what are the industry standards? PCI for credit cards --
> https://www.pcisecuritystandards.org/, HIPAA, etc ...
> 8) harden your servers
Good information (aside from what got encrypted somewhere between 3 and
6 ;-) ).
On point 8, I think I may have forwarded this to the list before; but,
it doesn't hurt to do it again. The NSA provides guides to securing
various applications and operating systems:
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml
--
---------------
Chris Hoogendyk
-
O__ ---- Systems Administrator
c/ /'_ --- Biology & Geology Departments
(*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst
<hoogendyk at bio.umass.edu>
---------------
Erdös 4
More information about the Hidden-discuss
mailing list