Graham Clarke wrote: > We've had to do data encryption for banking and health care. Here are > a couple of lessons learned: > > 1) live two way encryption is a lot different than just encrypting > backed up data > 2) the cost of application security is more exponential than linear > 3) encryption and decryption can impose a large performance penalty on > your application. 5) how good is good enough? the stronger the > encryption the larger the more horsepower you need > 6) data encryption is only 1 piece of your application security. > locking the doors is silly if you leave all the windows open or leave > the keys under the door mat. do a system wide security evaluation > 7) what are the industry standards? PCI for credit cards -- > https://www.pcisecuritystandards.org/, HIPAA, etc ... > 8) harden your servers Good information (aside from what got encrypted somewhere between 3 and 6 ;-) ). On point 8, I think I may have forwarded this to the list before; but, it doesn't hurt to do it again. The NSA provides guides to securing various applications and operating systems: http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml -- --------------- Chris Hoogendyk - O__ ---- Systems Administrator c/ /'_ --- Biology & Geology Departments (*) \(*) -- 140 Morrill Science Center ~~~~~~~~~~ - University of Massachusetts, Amherst <hoogendyk at bio.umass.edu> --------------- Erdös 4