March 11, 2010     |
Home
FAQs
       SQL Server FAQ
       SQL Injection FAQ
       SQL Security Checklist
       SQL Server-Related Products
       SQL Server/MSDE-Based Applications
       SQL Server Version Database
Tools
       Lockdown Script
       Free Tools
       Free Analysis
       Group Policy Templates
       Commercial Tools
Community
       Discussions
       Links
About
Search
Network Toaster
SQL Security Forums
Note: SQLSecurity.com does not allow nor require registration due to privacy concerns for users. SQLSecurity.com is open and anonymous for all. Please report any abuse or profanity.
Forums > Discussions > SQL Server Security
Subject: Encryption using extended sprocs
Prev Next
Add Reply

Author Messages
John Marks
11/16/2001 11:34 AM Quote Reply Alert 
Chip I really enjoyed your article in MCP Online Mag (http://www.informnavigator.com/index.asp?ap=xp_crypto&am=about#xp_crypto). We are considering using a 3rd party control in the form of an extend sproc to encrypt data at the column level in our SQL 2K databases. As the DBA I am pushing to have the encryption done at the Application level rather than the DB level b/c of possible issues with use extended sprocs like memory leaks and corruption and other stability problems due the fact that extended sproc run in the same process space as SQL Server. Have you had any experience with using 3rd party extended sprocs to encrypt data in a high volume OLTP environment? What would be your recommendation to do? Has anyone else out there had experience in this issue and can provide some feedback. Thanks :-)
Chip Andrews
11/18/2001 9:06 PM Quote Reply Alert 
As with many things in life, it is a matter of requirements and risk management. If the requirements specify a certain level of performance then you must make sure any proposed solution can meet those requirements. If you are afraid of memory leaks and cannot get access to the source code for the extended stored proc then this may be a risk you simply cannot take. (I like to see source code myself) Keep in mind that moving unknown code to other tiers just means the memory leaks will happen somewhere else - not exactly the best situation. I recommend you only go with a solution that meets your individual requirements and risks. Every person's situation is different and that's why I can't give you a blanket answer. Whatever path you choose, just make sure you test, test, test. For the record I am partial to a non-extended stored proc approach because I find my applications scale better when I do crypto on the BOL layers that usually exist in web or component farms. Chip
John Marks
11/19/2001 11:32 PM Quote Reply Alert 
Thanks for the reply Chip.
Add Reply
Forums > Discussions > SQL Server Security > Encryption using extended sprocs
Quick Reply
Username:  
Subject:  
Body:
 



ActiveForums 3.6
Copyright 1999 by Chip Andrews   |  Privacy Statement  |  Terms Of Use