Sensitive Data Must Be Encrypted

Published On: 2012-08-02By:

The title of this post pretty much says it all.  If you store sensitive data in a database you have to work under the assumption that someone is going to try and break into the system and steal that data.  Thinking otherwise simply isn’t responsible as the developer and/or administrator of the system.  By not encrypting your sensitive data, such as users logins and passwords you could easily enough end up like Yahoo! did on July 11, 2012 with the usernames and passwords of all of the customers of a service being posted on the Internet for all to see.

Not only was this breach a major embarrassment for Yahoo! but it is a potential nightmare for their customers.  If those customers (there were a few hundred thousand in the list) use the same email address and password on other websites they’ve now had the username and password for those other services leaked as well.

Now I know that best practice for Internet security says that every website should have a different password, but for the bulk of Internet users this simply isn’t going to happen.  Among IT professionals the percentage of people that actually use a different password for each website is probably pretty close to zero.  I know that I personally use dozens of different websites a month, and for most people that it probably pretty normal between banks, credit card companies, Facebook, Twitter, work sites, Gmail, etc. that quickly gets up to dozens or hundreds of passwords which need to be remembered.  There are plenty of password vault type applications, but general Internet users aren’t going to be using them.  As IT professionals we need to remember that we are dealing with the general public and the general public isn’t going to know that they need to do this, no matter how many times we talk about it within the IT field.

One reason that there is lots of unencrypted data out there is that converting older applications from using plain text data to encrypted data is pretty hard to do.  There are lots of places within the application which need to be touched and there are possibly lots of different applications which need to be updated all at once.  Then there is the possibility of needing to take an outage to do the actual data change.  When it comes down to is biting the bullet and taking the outage and making the change.  It is well worth it to take the outage and encrypt all the data now, rather than have to worry about a data breach later.

There are lots of techniques which you can use to do this data encryption, to many to list in a single blog post so look for blog posts from me later on how to handle this change.  There are also plenty of consultants, including myself, who are happy to help with projects like this.


Contact the Author | Contact DCAC

2 responses to “Sensitive Data Must Be Encrypted”

  1. alimcitp says:

    Hi Denny,Very nice article. Basit

  2. […] Stored Procedures, T/SQL, Tables I wrote a little while ago about the fact that sensitive data needs to be encrypted within the database for all applications.  This is the first technique that is available to you to […]


Globally Recognized Expertise

As Microsoft MVP’s and Partners as well as VMware experts, we are summoned by companies all over the world to fine-tune and problem-solve the most difficult architecture, infrastructure and network challenges.

And sometimes we’re asked to share what we did, at events like Microsoft’s PASS Summit 2015.

Awards & Certifications

Microsoft Partner       Insights Sccess Award    Technology Headlines Award    Golden Bridge Gold Award    CIO Review Top 20 Azure Solutions Providers    VMWare Partner
Microsoft Certified Master    Microsoft MVP
Share via