Tuesday, September 17, 2013

On the assumption of encryption. A Zen Security Koan

The Master and a Student were conducting a PCI gap analysis for a Client.

The Master asked the Client's Server Administrator if they encrypted their backups, to which the Administrator replied "No, but surely the database team encrypts the data, so I do not worry about such things."

In the next meeting, the Master asked the DBA if they encrypted the PAN field in the tables, to which the DBA replied, "No, but surely the backups are encrypted, so I do not worry about such things."

The Master took the Administrator and the DBA to the roof and politely asked them to to climb into wooden boxes. When the they complied with his request, the Master pushed the boxes off the roof.

Shocked, the Student asked the Master why he would do such a thing.

The Master replied "Surely the DBA and the Administrator brought pillows with which to cushion the fall, so I do not worry about such things".

And thus was the Student enlightened.