Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.

Поиск
Список
Период
Сортировка
От John McKown
Тема Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.
Дата
Msg-id CAAJSdjjU=GF=5M1oFiji_13Pqek6c1NcGetd2tYDYmzgy2LuZA@mail.gmail.com
обсуждение исходный текст
Ответ на Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.  (Adrian Klaver <adrian.klaver@aklaver.com>)
Ответы Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.  (Adrian Klaver <adrian.klaver@aklaver.com>)
Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.  (Merlin Moncure <mmoncure@gmail.com>)
Список pgsql-general
Дерево обсуждения
On Wed, Nov 18, 2015 at 3:38 PM, Adrian Klaver <adrian.klaver@aklaver.com> wrote:
On 11/18/2015 01:34 PM, Andrew Sullivan wrote:
On Wed, Nov 18, 2015 at 03:22:44PM -0500, Tom Lane wrote:
It's quite unclear to me what threat model such a behavior would add
useful protection against.

If you had some sort of high-security database and deleted some data
from it, it's important for the threat modeller to know whether the
data is gone-as-in-overwritten or gone-as-in-marked-free.  This is the
same reason they want to know whether a deleted file is actually just
unlinked on the disk.

This doesn't mean one thing is better than another; just that, if
you're trying to understand what data could possibly be exfiltrated,
you need to know the state of all of it.

For realistic cases, I expect that deleted data is usually more
important than updated data.  But a threat modeller needs to
understand all these variables anyway.

Alright, I was following you up to this. Seems to me deleted data would represent stale/old data and would be less valuable.

​Not necessarily. Think PHI or HIPAA information which was "erased" because you lost a customer. ​Or just something as "simple" as a name, address, and credit card number for someone. It's still important and useful to thieves if it is "erase". I can see a smaller company using PG for accounting and billing information. But it really should be encrypted. I often wonder how many "small" businesses actually do that. I a truly ignorant on that point.

That's not even getting into government information that might be of interest to others such as the FSB or even Wikileaks (regardless of one's opinion them). Of course, I don't really know if any government or other "high security" industry is actually using PG for secure information.


--
Adrian Klaver
adrian.klaver@aklaver.com


--

Schrodinger's backup: The condition of any backup is unknown until a restore is attempted.

Yoda of Borg, we are. Futile, resistance is, yes. Assimilated, you will be.

He's about as useful as a wax frying pan.

10 to the 12th power microphones = 1 Megaphone

Maranatha! <><
John McKown

В списке pgsql-general по дате отправления:

Предыдущее
От: Melvin Davidson
Дата:
Сообщение: Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.
Следующее
От: Andrew Sullivan
Дата:
Сообщение: Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.