Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
![]() |
![]() |
Home -> Community -> Usenet -> c.d.o.server -> Re: Where to keep encryption key , DB?
In comp.security.misc Niall Litchfield <n-litchfield_at_audit-commission.gov.uk> wrote:
> <pelln_at_icke-reklam.ipsec.nu.invalid> wrote in message
> news:9qemfv$nqf$2_at_nyheter.crt.se...
>> In comp.security.misc NetComrade <andreyNSPAM_at_bookexchange.net> wrote: >> > We are planning to store credit card #'s in our database.. >>
>> The better method is : Don't try to obfuscate credit card info. MOVE IT >> to a safe server. >> >> If a machine is exposed to Internet ( or other security hazards) it's >> unwize to have any sensitive information on-line.
> This raises the question of how on earth do you conduct online commerce. Is
> it just impossible? If you are using an RDBMS to drive your ecommerce site
> then it has to have a communications channel to the internet site, though of
> course that channel should be secure etc. Maybe this is a FAQ on
> comp.security.misc but it isn't on the Oracle NG.
The simple answer is : don't run you e-commerce site from the exposed machines ( like the webserver(s) itself), move all sensitive info to machines on safer networks. The webserver is just an "order recipient"
Running everything on one set of boxes will make any breakin dangerous, by layering the application a single breakin might be quite manageble and non-fatal ( as regards to the real assets). And since this was an Oracle tinted question, some communication needs might be best done outside oracle. ( no oracle bashing, just a reminder that using proper tools at the right moment is better then using a hammer to everything)
Whats strange about this ?
> --
> Niall Litchfield
> Oracle DBA
> Audit Commission UK
-- Peter HÃ¥kanson IPSec Sverige (At the Riverside of Gothenburg, home of Volvo) Sorry about my e-mail address, but i'm trying to keep spam out. Remove "icke-reklam"and "invalid" and it works.Received on Tue Oct 16 2001 - 04:55:30 CDT
![]() |
![]() |