Encrypt SugarCRM database

[JM7]

Is there a way to encrypt the community edition SugarCRM database so that if a hacker gets access to the MYSQL database it is useless?

[Angel]

There is nothing in Sugar that allows you to do this. You'd have to look at potential solutions at the MySQL server level.

[JM7]

please forgive me for not understanding all of this. How can I encrypt the MySQL database and have SugarCRM read it?

How is this done, please?

[clint]

The answer to this all depends what you're trying to protect yourself from. If you're concerned about general security vulnerabilities and somebody gaining unauthorized access to your machine, then you should think about network, OS, DB and hard disk security.

For instance, encrypting the hard drive with something like PGP Desktop might be what you are looking for. If you are looking at protecting your DB in general, then MySQL.com offers some solutions for database security.

If you are looking to encrypt specific data stored in the Sugar database in order to keep it secure from prying eyes (e.g. credit card numbers or social security numbers), you can look at encrypting data before storing it in the db. We provide the Blowfish encryption libraries with the SugarCRM code.

We use Blowfish for encrypting the email password fields stored in the Sugar DB. Look at the retrieve() and save() functions in modules/InboundEmail/InboundEmail.php file. You will see that we use the blowfishEncode() and blowfishDecode() functions for encrypting/decrypting the $email_password data.

[JM7]

Thank you Clint.

It looks like Packet General will work. Unfortunately, its very expensive.

I think there are other vulnerabilities that need to be addressed but Packet General is a good first step.

I am not an attorney but I think ALL database/CRM vendors face class action legal liability by not having data security issues addressed.

It looks like Oracle addressed this in 2005 with Transparent Data Encryption

http://www.oracle.com/technology/ora...5security.html

Microsoft addressed it here:

Database Encryption in SQL Server 2008 Enterprise Edition

http://msdn.microsoft.com/en-us/library/cc278098.aspx





Info is below

Encryption-GENERAL is suitable for organizations that want to encrypt their MySQL data at inception in a manner that is transparent to both MySQL and to end users. The algorithm used is AES with 256-bit keys.

Key management:
Encryption-GENERAL uses soft-tokens.

Role-Based Platform Management:
Role-Based Platform Management allows different administrators to manage different aspects of Encryption-GENERAL.

Protection against data theft:
Data never get to the disk or the network unencrypted. This means that data are protected against equipment theft or physical compromise, and against network eavesdroppers.

Protection against “root”:
Only the authorized application has access to the data. No other programs, even if running with administrator privileges (therefore, not even "root" itself) can access or modify the data.

Encryption-GENERAL can be installed on standard certified, 32- or 64-bit, Intel and AMD hardware

[fort3306]

It appears that you have already found a good source to protect your data. Packet General does provide data security solutions for MySQL. However, I must say that most of us don’t really understand data security. There was paper written some time ago, "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments", published by the National Security Agency that states the following in its abstract: "Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems." In other words, no application can really secure data it generates without the help of underlying OS.

So I'm not sure how PGP Desktop can really help.

Let's look at this problem in detail:

The security of data really depends on the security of the individual components that store, retrieve, and transport the data. This encompasses the whole gamut of security concerns: the client application; the credentials that the application uses to authenticate *its* users; the MySQL credentials that the application uses to authenticate *itself* to the server; the communication protocols; the integrity/correctness of the MySQL binaries; the security of the server OS; even the disposition of the backup tapes. Needless to say, there is no single, short answer that solves every single aspect of database security. Each link in the chain has to do its part to make sure it is not the weakest one. Packet General's MySQL appliance addresses most of these security issues.

Thanks.

/fort3306

[balajimani]

It appears that you have already found a good source to protect your data. Packet General does provide data security solutions for MySQL. However, I must say that most of us don’t really understand data security. There was paper written some time ago, "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments", published by the National Security Agency that states the following in its abstract: "Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems." In other words, no application can really secure data it generates without the help of underlying OS.

So I'm not sure how PGP Desktop can really help.

Let's look at this problem in detail:

The security of data really depends on the security of the individual components that store, retrieve, and transport the data. This encompasses the whole gamut of security concerns: the client application; the credentials that the application uses to authenticate *its* users; the MySQL credentials that the application uses to authenticate *itself* to the server; the communication protocols; the integrity/correctness of the MySQL binaries; the security of the server OS; even the disposition of the backup tapes. Needless to say, there is no single, short answer that solves every single aspect of database security. Each link in the chain has to do its part to make sure it is not the weakest one. Packet General's MySQL appliance addresses most of these security issues.

Thanks.

/fort3306

Hi,

Kindly let me know the encryption are doing for encrypting the IDs in all the Tables.

Thank you
Balaji.M

[SugarDev.net]

It's done with a vardefs field of type "encrypt", see http://www.sugarcrm.com/wiki/index.php?title=Encrypt.

If anybody has more info on this please add it to the wiki .