| From: | David Fetter <david(at)fetter(dot)org> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: security |
| Date: | 2005-02-06 07:00:28 |
| Message-ID: | 20050206070028.GH9539@fetter.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Sat, Feb 05, 2005 at 09:08:00PM -0500, Ron Peterson wrote:
> I would like to be able to assert that the security of data stored
> as a value in a PostgreSQL table can be as high as the security of
> saving that same piece of data to a file on disk. Would that be
> correct?
I hate to put it so bluntly, but "security" isn't a product that you
buy or a service that you use. It's not even a rigid set of
procedures, however well-thought-out such a set might be.
Instead, it's a large and by its nature flexible set of processes that
you must implement and keep up to date. What distinguishes security
in the computer field from other kinds of things involving computers
is the existence of one or more attackers. In re: how to do security,
I'll quote Bruce Schneier's 5-step security evaluation:
1. What assets are you trying to protect?
2. What are the risks to those assets?
3. How well does the security solution mitigate those risks?
4. What other risks does the security solution cause?
5. What costs and tradeoffs does the security solution impose?
Until you have answered questions 1 and 2, you can't even start on an
implementation.
Cheers,
D
--
David Fetter david(at)fetter(dot)org http://fetter.org/
phone: +1 510 893 6100 mobile: +1 415 235 3778
Remember to vote!
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Julian Scarfe | 2005-02-06 09:34:53 | Re: pgpool 2.5b2 released |
| Previous Message | Steve Atkins | 2005-02-06 05:10:46 | Re: security |