Re: Data Encryption - Mailing list pgsql-novice

From Nick
Subject Re: Data Encryption
Date
Msg-id BAY131-DAV1456D31C055F17E0FC5CF3C46C0@phx.gbl
Whole thread Raw
In response to Data Encryption  ("Sandeep Agarwal" <sandeepagarwal.1980@gmail.com>)
List pgsql-novice
>> > i am new to postgres and am puzzled how to solve the untrusted
>> admin
>> > problem.
>> >
> Please do not take affront if I am reading way too much into your
> question, but if the following scenario is true:
> 1)  It is a web application with the server colocated in the US
> 2)  You are the developer AND admin and are not in the US
>
> If so, you obviously trust yourself -- the problem is that customers or
> prospective customers will possibly (likely) be hesitant to use your
> service, particularly when SSN's, names and employee addresses are
> involved.

The original question was on-topic (basic technical question re postgresql)
but the answer wasn't.

I'm sorry to continue off-topic and will endeavour never to do it again
but...

The original question is a serious one that few companies seem to take
seriously. I've had a number of freelance jobs as an Oracle DBA over the
years and it has shocked me how careless big companies can be with their own
and their client's data, some of it supposed to be confidential.

As a DBA I've been able to access all sorts of sensitive data if I'd chosen
to. I was trusted and have never betrayed that trust. But consider my and
countless others' positions:

- I might be there for a few months with no commitment as such to the
company;
- People trust me because I'm a nice guy and hey, DBAs are trustworthy,
aren't they?
- I tend to work for the same type of companies because having oil company 1
on my cv is attractive to oil company 2;
- I have access to data that might be worth a lot of money to oil company 2.
- And as a DBA I sometimes have to work out of hours when there's noone to
watch me (not that anyone ever does anyway).

Should I be trusted by these big companies who should be protecting the
interests of their share holders?
No way.
But I always have been. And so have others I've known who I wouldn't trust
with my credit card number.

OK, I promise, with fingers firmly crossed, never to get involved in an
off-topic discussion again!

And I'm sorry but I can't answer the original question.

Nick.


pgsql-novice by date:

Previous
From: nhrcommu@rochester.rr.com
Date:
Subject: Re: Data Encryption
Next
From: Ramon Orticio
Date:
Subject: PL/pgSQL how to install