Re: Column Redaction - Mailing list pgsql-hackers
From | Joe Conway |
---|---|
Subject | Re: Column Redaction |
Date | |
Msg-id | 54393386.8040607@joeconway.com Whole thread Raw |
In response to | Re: Column Redaction (Simon Riggs <simon@2ndQuadrant.com>) |
List | pgsql-hackers |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/11/2014 02:40 AM, Simon Riggs wrote: > As soon as you issue the above query, you have clearly indicated > your intention to steal. Receiving information is no longer > accidental, it is an explicit act that is logged in the auditing > system against your name. This is sufficient to bury you in court > and it is now a real deterrent. Redaction has worked. > > Redaction is similar to a 3m high razor wire fence. The fence > reminds you of what is correct and dissuades you from going > further. The fence does not prevent access by a determined and > skillful agent (Rod), but the CCTV cameras that are set out will > record the action. It will be almost impossible to claim you were > just walking your dog, and the wire cutters were a gift for your > brother in law. > > Redaction prevents accidental information loss only, forcing any > loss that occurs to be explicit. It ensures that loss of > information can be tied clearly back to an individual, like an ink > packet that stains the fingers of a thief. > > I don't have a word or pithy phrase for this concept. Maybe > something related to "forcing their hand", flushing game into the > open, or simply preventing "tipping your hand" and inadvertently > allowing data loss. > > Redaction clearly relies completely on auditing before it can have > any additional effect. And the effectiveness of redaction needs to > be understood next to Rod's example. > > Since it relies on auditing, we need to do that first. This is a really good summary. I definitely know of folks who would be interested in this feature, but I also agree, as you have said, it relies on a good audit trail. Joe - -- Joe Conway credativ LLC: http://www.credativ.us Linux, PostgreSQL, and general Open Source Training, Service, Consulting, & 24x7 Support -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUOTOGAAoJEDfy90M199hlswcP/1qUtwvsb+a4hKqL3FsIIkmK +2f5x+TRm1C5B04QhVa4A7iOr+lfzcoGChV2x2EwCqKJWNzwcpZfB/vBNv593KU4 /WZ+r0o0Hih69dE8gAS602xkrw8x3iAqcTzfyrfiE2O9yhYjoCmqqPls6PtgACc7 JI9pNiPRO+Sd2B308FaD70KkbnGDjMeFPgrxU7NRZwf0NG/bkDq28vSJl5QLg6DO lFEtB1mMVWWmlnfTgw+zTXamxPJZTLK2Z38OBX3mjjD+64kEMjI5YQ39X8T9Ndfu 0dCA6KCqfCiy/ANETv0ScdoO/uiEQ6VfkbXy1lHK9sWDgu7HOwTPo4c0ft4tILDK NIXvCYAFK0aPzuEVLFfwf6wm6BP7kuJ+42fY+VwMwCkt4DoQpLRJChIQzJ9ilmK2 suMSmC/sxHeRkLwRAo4uHyAzLZbectq3VC6Zdjlx35jdWG7We1katBoIU8MOC0sc YFcUJRQk+PTxjp1fOPS7szDZulCMMXP4s0v07hiW5z6EaY82I9mJk6dnuk8eha16 3h4zBgbkM9hZhKLlbwLFSUKZrQdUklRJDXQhUuUqSIOQAU02zEKs2Pl0w1l+h5CY cb0xPfvkIVPgrDMRfEhdbr+rh2jcEE4gQeuWNe0cexuyZiKI+Xc2MLscaeqIeBNJ bEur+OvRj+wlnrYPGA80 =gTcG -----END PGP SIGNATURE-----
pgsql-hackers by date: