翻译 2006年06月06日 23:14:00

Why data encryption is no substitute for comprehensive security


《endurer注:1。substitute for 代替...;替换..., 取代...》

by  Jonathan Yarden

作者:Jonathan Yarden

翻译:endurer 2006-06-06 第1


Keywords:  Authentication and encryption | Security | E-mail messages | Security threats

关键字:证明和加密 | 安全 | 电子邮件信息 | 安全威胁


Jonathan Yarden asserts that data encryption can actually increase security risks if you apply it without considering how it will affect other IT functions. Find out why he stresses that data encryption is only one of the tools in a comprehensive Internet security setup.


Jonathan Yarden声称,如果你不考虑对其它IT功能影响地应用数据加密,实际上增加了安全风险。看看他为何强调数据加密只是英特网综合安全设置中的一个工具。



In all my years in the computing industry, I have seen a number of technologies come, go, and resurface. Without a doubt, one of most interesting is data encryption; yet, the general public still doesn't seem to have a firm grasp on it.


《endurer注:1。a number of:许多,若干
2。Without a doubt:当然,毫无问题,无疑地
3。general public: 公众
4。seem to:似乎...
5。get a firm grasp of:牢牢地抓住》

 Part of the problem may be that many IT pros get their information about data encryption from security vendors. None of the vendors at the security seminars I have attended stress that data encryption is by no means a substitute for a comprehensive corporate security architecture. For instance, sometimes it only makes sense to use data encryption when no other alternatives exist; sometimes you don't need to use data encryption at all. You probably won't hear this in any security vendor seminar because they want to sell products—I just want to educate you.


《endurer注:1。Part of: 一部分(的一部分)
2。none of 中一个也没有;当中谁都不(当中没人)
3。by no means 决不
4。for instance 例如
5。makes sense 有意义,讲得通
6。at all:完全,根本》

Know when to use data encryption


Data encryption is of little use unless you apply it to specifically mitigate a risk or to address a legal requirement. In fact, if you apply data encryption without consideration for how it will affect other IT functions, it can actually increase risks in other areas of the enterprise.


《endurer注:1。legal requirement 法律要件》

A striking example of the misuse of data encryption is when IT pros use encrypted file systems where this type of security is simply not needed. Windows and almost all major operating systems can support data encrypted file systems, but most corporations would be hard pressed to find a general use for such security. Even so, many corporations adopt the use of encrypted file systems because they believe this protects their information if a system is compromised. This is generally not true; the real security issue is keeping the system protected from compromise in the first place. An encrypted file system is not a reason to stop being vigilant when applying updates and patches. Also, backups are a must because, if you lose the decryption keys, your data is lost.


《endurer注:1。be hard pressed to do sth.: 做...很困难
2。general use 通用,一般用途
3。use for 用于,用作
4。even so 虽然如此
5。 in the first place:起初,首先》

There are specific cases where it makes sense to use data encryption. However, many IT pros decide to use data encryption because they assume this means they will have "improved" security. For example, a company that implements a VPN system using IPSEC isn't immune from a worm or virus if its virus scanner only inspects e-mail at the firewall border. A solution is to enforce virus and worm scanning at the e-mail server, as well as at the network perimeter; this guarantees that internal e-mail messages are properly scanned for malicious content.


《endurer注:1。be immunized from:v. 对...免疫
2。As well As (除...之外)也,既...又;也,又》

Reconsider using SSL to pass sensitive data online


Many IT pros incorrectly assume their data are secure if they submit information using SSL. These two points are true: SSL encryption makes it much more difficult (perhaps with SSL V3 it may be close to impossible) to make use of data if it's intercepted; and SSL is more secure as a data transmission method over clear text. However, once the data is received and decrypted on the other side of the SSL connection, you no longer have any real control over it. Or, if your Windows system is infected with a keylogging Trojan, typing your credit card into a SSL session on a browser isn't going to prevent it from being stolen.

一些IT专家们不正确地假定如果使用SSL来提交信息,数据是安全的。有两点是真的:SSL加密使被截取的的数据更难利用(利用SSL V3,这有可能近于不可能);并且当数据传输方式基于明文件时,SSL更安全。然而,一旦数据在SSL连接的另一边接收和加密,你就不能再有实际控制。或者,如果你的Windows系统被一个记录按键的木马感染了,在浏览器r的SSL会话中中输入信用卡,不能防止被盗。

《endurer注:1。close to 接近于, 在附近》

The general belief of SSL providing security is precisely why many of the newer phishing scams that use SSL are tricking people into giving up personal information. SSL does not provide more than simple data transmission security. The real question is: What happens to the data afterwards?


《endurer注:1。trick into 哄骗...干》

Encrypt e-mail using archivers


《endurer注:1。archiver n.档案库存储器》

Secure e-mail is another area where corporations need some education. Most corporations do not need the level of e-mail security provided by PGP or built-in public key encryption in most e-mail systems.


《endurer注:1。PGP—Pretty Good Privacy,是一个基于RSA公匙加密体系的邮件加密软件。》

When someone needs to send a Word document or Excel spreadsheet securely, I usually suggest they use the data encryption features of archivers such as WinZip or WinRAR, and send the secure data as an attachment to a regular text e-mail. When the recipient gets the e-mail, they decrypt the archive using a previously established decryption password. While this is far from perfect, it's generally secure enough to lower the risk to minimal levels.




I must stress that data encryption is only one of the tools in a comprehensive Internet security setup. Regardless of the sales pitches, remember that the lowest common denominator in Internet security is people not technology.


《endurer注:1。regardless of 不管, 不顾
2。sales pitch兜揽生意的话
3。lowest common denominator〈数〉最小公分母》


Android开发中高效的数据结构 android开发中,在java2ee或者android中常用的数据结构有Map,List,Set,但android作为移动平台,有些api(很多都是效率问题)显然...
  • fancylovejava
  • fancylovejava
  • 2015年04月20日 11:58
  • 22008


本人windows10在vivado 2015.03下,编译综合都通过,在modelsim与vivado关联绝对成功的前提下,点击run simulation 一直处在这个状态,一直执行中,无法正常调...
  • qq_31806049
  • qq_31806049
  • 2017年05月10日 17:15
  • 1426


  • why_2012_gogo
  • why_2012_gogo
  • 2016年04月19日 22:24
  • 4642


本文转载互联网,分享给大家!转载请注明原始来源和链接,尊重作者,共享知识!谢谢! 摘要:为了能够成为黑莓和苹果表率,谷歌下个版本Android开始在商业和企业领域努力。据悉,新版本Andro...
  • lixinhuixin
  • lixinhuixin
  • 2014年04月08日 17:04
  • 899

网络安全课件 数据加密技术

  • 2009年03月19日 18:04
  • 8.98MB
  • 下载


  • 2016年01月22日 10:10
  • 208KB
  • 下载


  • 2010年12月08日 11:38
  • 30KB
  • 下载


package com.secretkey; import java.io.ByteArrayOutputStream; import java.io.FileInputStream; import...
  • wyabc1986
  • wyabc1986
  • 2011年07月14日 20:13
  • 767


  • u013802231
  • u013802231
  • 2014年04月10日 17:12
  • 807

Android 数据加密及安全网络通信杂谈(一)

Android 数据加密及安全网络通信杂谈 前言:本人多年从事软件开发,发现大多数程序员(其中包括不少是资深的)、CTO、PM们对信息安全的了解几乎为零!很多时候,项目负责人在不得不面对信息安全需求...
  • suntongo
  • suntongo
  • 2016年05月06日 16:30
  • 3184