为什么数据加密不能代替综合安全

Why data encryption is no substitute for comprehensive security

为什么数据加密不能代替综合安全

《endurer注：1。substitute for 代替...；替换..., 取代...》

by  Jonathan Yarden

作者：Jonathan Yarden

翻译：endurer 2006-06-06 第1版

英文来源：http://techrepublic.com.com/5100-1009_11-6079162.html?tag=nl.e044

Keywords:  Authentication and encryption | Security | E-mail messages | Security threats

关键字：证明和加密 | 安全 | 电子邮件信息 | 安全威胁

Takeaway:

Jonathan Yarden asserts that data encryption can actually increase security risks if you apply it without considering how it will affect other IT functions. Find out why he stresses that data encryption is only one of the tools in a comprehensive Internet security setup.

概述：

Jonathan Yarden声称，如果你不考虑对其它IT功能影响地应用数据加密，实际上增加了安全风险。看看他为何强调数据加密只是英特网综合安全设置中的一个工具。

 

---

 

In all my years in the computing industry, I have seen a number of technologies come, go, and resurface. Without a doubt, one of most interesting is data encryption; yet, the general public still doesn't seem to have a firm grasp on it.

在投身计算机工业的日子里，我已经看到许多技术涌现、消失（淘汰）和再现。毫无疑问，最令人感兴趣的一个是数据加密；然而，公众似乎仍然没有牢牢地抓住它。

《endurer注：1。a number of:许多,若干
2。Without a doubt:当然,毫无问题，无疑地
3。general public: 公众
4。seem to:似乎...
5。get a firm grasp of：牢牢地抓住》

 Part of the problem may be that many IT pros get their information about data encryption from security vendors. None of the vendors at the security seminars I have attended stress that data encryption is by no means a substitute for a comprehensive corporate security architecture. For instance, sometimes it only makes sense to use data encryption when no other alternatives exist; sometimes you don't need to use data encryption at all. You probably won't hear this in any security vendor seminar because they want to sell products—I just want to educate you.

一部分问题可能是一些IT专家从安全供应商获取数据加密方面的信息。在我所参加的安全研讨会中，没有一个供应商强调数据加密决不是代替综合企业安全架构。例如，有时只有在不存在其它可供选择的办法时使用数据加密才有意义；有时你完全不需要使用数据加密。你可能不会在一些安全供应商研讨会听到这些，因为供应商们想销售产品——我只是想让你明白。

《endurer注：1。Part of: 一部分(的一部分)
2。none of 中一个也没有；当中谁都不(当中没人)
3。by no means 决不
4。for instance 例如
5。makes sense 有意义,讲得通
6。at all:完全,根本》

Know when to use data encryption

知道何时使用数据加密

Data encryption is of little use unless you apply it to specifically mitigate a risk or to address a legal requirement. In fact, if you apply data encryption without consideration for how it will affect other IT functions, it can actually increase risks in other areas of the enterprise.

数据加密用处不大，除非你把它应用于特定减轻风险或定位法律要件。实际上，如果你不考虑对其它IT功能影响地应用数据加密，实际上增加了企业其它区域的风险。

《endurer注：1。legal requirement 法律要件》

A striking example of the misuse of data encryption is when IT pros use encrypted file systems where this type of security is simply not needed. Windows and almost all major operating systems can support data encrypted file systems, but most corporations would be hard pressed to find a general use for such security. Even so, many corporations adopt the use of encrypted file systems because they believe this protects their information if a system is compromised. This is generally not true; the real security issue is keeping the system protected from compromise in the first place. An encrypted file system is not a reason to stop being vigilant when applying updates and patches. Also, backups are a must because, if you lose the decryption keys, your data is lost.

数据加密滥用的一个突出例子是IT专家把加密文件系统用于那类安全简单而不需要的地方。Windows和几乎所有的主要操作系统能支持数据加密文件系统，但是大多数公司将很难找出这类安全的一般用途。虽然如此，一些公司采用加密文件系统，因为他们相信如果系统被危害，这保护了他们的信息。这一般不是真相；真实的安全问题首先保护系统免受危害。加密文件系统不是应用更新和补丁时停止警惕的原因。同样，备份是必须的，如果你丢失了密匙，数据就丢失了。

《endurer注：1。be hard pressed to do sth.: 做...很困难
2。general use 通用，一般用途
3。use for 用于,用作
4。even so 虽然如此
5。 in the first place:起初,首先》

There are specific cases where it makes sense to use data encryption. However, many IT pros decide to use data encryption because they assume this means they will have "improved" security. For example, a company that implements a VPN system using IPSEC isn't immune from a worm or virus if its virus scanner only inspects e-mail at the firewall border. A solution is to enforce virus and worm scanning at the e-mail server, as well as at the network perimeter; this guarantees that internal e-mail messages are properly scanned for malicious content.

存在一些使用数据加密讲得通的特别情况。然而，一些IT专家决定使用数据加密，因为他们认定这意味着他们将拥有“改良的”的安全。例如，一个实现了使用IPSEC的VPN系统的公司，如果其病毒扫描程序只审查防火墙边界的电子邮件，就不能对蠕虫或病毒免疫。一个解决办法是既在电子邮件服务器上，又在网络周界上强制病毒和蠕虫扫描；这保证了内部电子邮件信息针对恶意内容作了适当地扫描。

《endurer注：1。be immunized from:v. 对...免疫
2。As well As (除...之外)也,既...又；也，又》

Reconsider using SSL to pass sensitive data online

 重新考虑使用SSL来在线传递敏感数据

Many IT pros incorrectly assume their data are secure if they submit information using SSL. These two points are true: SSL encryption makes it much more difficult (perhaps with SSL V3 it may be close to impossible) to make use of data if it's intercepted; and SSL is more secure as a data transmission method over clear text. However, once the data is received and decrypted on the other side of the SSL connection, you no longer have any real control over it. Or, if your Windows system is infected with a keylogging Trojan, typing your credit card into a SSL session on a browser isn't going to prevent it from being stolen.

一些IT专家们不正确地假定如果使用SSL来提交信息，数据是安全的。有两点是真的：SSL加密使被截取的的数据更难利用（利用SSL V3，这有可能近于不可能）；并且当数据传输方式基于明文件时，SSL更安全。然而，一旦数据在SSL连接的另一边接收和加密，你就不能再有实际控制。或者，如果你的Windows系统被一个记录按键的木马感染了，在浏览器r的SSL会话中中输入信用卡，不能防止被盗。

《endurer注：1。close to 接近于, 在附近》

The general belief of SSL providing security is precisely why many of the newer phishing scams that use SSL are tricking people into giving up personal information. SSL does not provide more than simple data transmission security. The real question is: What happens to the data afterwards?

对SSL提供安全的普遍信心正好是为什么一些新网络钓鱼诡计使用SSL哄骗人们放弃个人信息的原因。SSL不提供更简单的数据传输安全。真正的问题是：数据后来发生了什么？

《endurer注：1。trick into 哄骗...干》

Encrypt e-mail using archivers

使用文件存储程序加密电子邮件

《endurer注：1。archiver n.档案库存储器》

Secure e-mail is another area where corporations need some education. Most corporations do not need the level of e-mail security provided by PGP or built-in public key encryption in most e-mail systems.

让电子邮件安全是企业需要一些教育的另一个地方。大多数企业的大多数电子邮件系统不需要PGP或内置公匙加密提供的电子邮件安全级别。

《endurer注：1。PGP—Pretty Good Privacy，是一个基于RSA公匙加密体系的邮件加密软件。》

When someone needs to send a Word document or Excel spreadsheet securely, I usually suggest they use the data encryption features of archivers such as WinZip or WinRAR, and send the secure data as an attachment to a regular text e-mail. When the recipient gets the e-mail, they decrypt the archive using a previously established decryption password. While this is far from perfect, it's generally secure enough to lower the risk to minimal levels.

当某人需要发送安全地发送一个Word文档或Excel电子数据表时，我通常建议他们使用诸如WinZip或WinRAR之类的文件存储程序的数据加密特性，并作为正常文本电子邮件的附件发送安全数据。当接受者获得电子邮件后，他们用事先建立的加密口令对文件档进行解密。尽管这远非完美，但通常安全地足以使风险降到最低级别。

Summary

摘要

I must stress that data encryption is only one of the tools in a comprehensive Internet security setup. Regardless of the sales pitches, remember that the lowest common denominator in Internet security is people not technology.

我必须强调数据加密只是英特网综合安全设置中的一个工具。别管兜揽生意的话，记住英特网安全中的最小公分母是人而不是技术。

《endurer注：1。regardless of 不管, 不顾
2。sales pitch兜揽生意的话
3。lowest common denominator〈数〉最小公分母》