Re: Column Redaction

From: Simon Riggs <simon(at)2ndQuadrant(dot)com>
To: Rod Taylor <rod(dot)taylor(at)gmail(dot)com>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, Thom Brown <thom(at)linux(dot)com>, Damian Wolgast <damian(dot)wolgast(at)si-co(dot)net>, Heikki Linnakangas <hlinnakangas(at)vmware(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Claudio Freire <klaussfreire(at)gmail(dot)com>
Subject: Re: Column Redaction
Date: 2014-10-11 07:40:58
Message-ID: CA+U5nMLH9muxY7fwLxXiuzAewj=wVh8UsNWwLLWxk6Aq3rF8Pw@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 10 October 2014 16:45, Rod Taylor <rod(dot)taylor(at)gmail(dot)com> wrote:

> On my laptop I can pull all 10,000 card numbers in less than 1 second.

Right. Like I said: covert channels exist. Great example of how to
exploit them, thanks. Cool SQL.

What could be the use of "a security feature that does not prevent security"?

As soon as you issue the above query, you have clearly indicated your
intention to steal. Receiving information is no longer accidental, it
is an explicit act that is logged in the auditing system against your
name. This is sufficient to bury you in court and it is now a real
deterrent. Redaction has worked.

Redaction is similar to a 3m high razor wire fence. The fence reminds
you of what is correct and dissuades you from going further. The fence
does not prevent access by a determined and skillful agent (Rod), but
the CCTV cameras that are set out will record the action. It will be
almost impossible to claim you were just walking your dog, and the
wire cutters were a gift for your brother in law.

Redaction prevents accidental information loss only, forcing any loss
that occurs to be explicit. It ensures that loss of information can be
tied clearly back to an individual, like an ink packet that stains the
fingers of a thief.

I don't have a word or pithy phrase for this concept. Maybe something
related to "forcing their hand", flushing game into the open, or
simply preventing "tipping your hand" and inadvertently allowing data
loss.

Redaction clearly relies completely on auditing before it can have any
additional effect. And the effectiveness of redaction needs to be
understood next to Rod's example.

Since it relies on auditing, we need to do that first.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Geoghegan 2014-10-11 07:46:44 Re: jsonb contains behaviour weirdness
Previous Message Noah Misch 2014-10-11 05:41:53 Re: orangutan seizes up during isolation-check