存储社会保障号码 [英] Storing Social Security Numbers
问题描述
我想知道是否存在任何存储信息作为社会保险号码敏感的约定。我不是很熟练的加密,我知道有几种加密技术,我可以诉诸,但我想知道是否有一种方式,特别是最适合这种类型的情况。 AES是我最好的选择吗?
至于目前的软件,我们运行MySQL,我们的Web界面是用PHP编写的,并且在IIS服务器上运行。
我没有看到它在任何地方都提到,但这些信息是否有必要在线?如果没有,那么您已经通过将该信息存储在未连接到互联网的计算机上的数据库中,从而确保了一个主要的攻击途径。或者,如果您可以将其存储在局域网某处(因此人力资源可以访问它或任何),而不是生产服务器,这仍然是正确方向的一步。你提到你在一家比较小的公司,但似乎对一些便宜的硬件的投资并不是太难以说服决策者给出了将这种敏感信息存储在离线中的好处。在不久的将来,除了大量的招聘狂欢之外,你不需要一个服务器级的计算机来存储大约30位员工的个人信息。
无论你在哪里存储它,我仍然会考虑某种加密。 AES 256是大多数应用程序中安全的标准,并且得到了广泛的支持。它听起来不像是在任何种类的负载下的应用程序,所以再一次,从更小的硬件,从它的声音,更大的钥匙大小,没有损害。
就实现而言,如果您对MySQL很满意,请坚持使用它们,您可以获得所需的工具: http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html
最后,安全性是关于层次的,没有一个解决方案将成为银弹,但是你可以通过添加一些漂亮的简单,常识的安全措施。
编辑:在阅读Graeme所说的内容之后,我觉得我应该补充说,大多数安全漏洞都是内部工作 - 请确保保护您的数据在磁盘级别,通过数据库,通过电线。
The HR department at the company that I am currently working for has requested that I provide a system for storing employee social security numbers in our company database. The reason for this is to streamline payroll completion, as we use in-house software for employee timesheets but have to integrate with third-party software for our actual payroll system. This is a relatively small company (20-30 employees), and we'd only be storing current employees' SSN's (so a breach would only have limited impact), but I would still like to bank on security.
I would like to know if there is any convention out there for storing information as sensitive as social security numbers. I'm not very skilled in encryption, and I understand that there are several encryption techniques that I could resort to, but I was wondering if there was one way in particular that was best suited for this type of situation. Would AES be my best bet?
As for current software, we're running MySQL and our web interface is written in PHP and running on an IIS server.
I didn't see it mentioned anywhere, but is it necessary for this information to be online? If not, then you've secured one major avenue of attack by simply having this info stored in a database on a computer that's not connected to the internet. Or, if you can get away with having it stored on your LAN somewhere (so HR can have access to it, or whatever), as opposed to production servers, that's still a step in the right direction.
You mentioned that you're at a relatively small company, but it seems like an investment in some cheap hardware wouldn't be too difficult a thing to convince the decision makers of, given the benefits of storing this kind of sensitive info offline. And barring a massive hiring spree in the near future, you don't need a server class computer for storing personal info on ~30 employees by any means.
Wherever you store it, I'd still consider some kind of encryption. AES 256 is the standard for secure these days in most applications and is pretty widely supported. It doesn't sound like it's the sort of application to be under any kind of load, so again, there's no harm in going for a larger key size along with the cheap hardware, from the sounds of it.
As far as implementation goes, if you're comfortable with MySQL - stick with that, they've got the tools you need to do what you want: http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html
In the end, security is all about layers, no single solution is going to be the silver bullet, but you can go a long way by adding some pretty simple, common sense security measures.
Edit: after reading what Graeme said, I feel I should add that most security breaches are an inside job - make sure to protect your data at the disk level, through the database, and over the wire.
这篇关于存储社会保障号码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
