Hi Alex,

>As safe as you make it. If the data should be protected, use encryption.

Agreed. MD5 minimum. Blowfish when possible.


>Sure, you can use SSL through and HTTPS connection, but that covers only the transimission,
>not the life of the data before and after.

Yep. Hackers could care less about intercepting some random persons data on the net. They
want to take over individual systems and, hopefully, networks.


> Use VPN or some form of tunnelling. Don't rely on "security by obscurity" (safety just in the
> fact that no one would bother to try to trap MY data). It doesn't work.

Never has and never will work.


>If somebody wants it bad enough, they'll get to it.

You bet. In my 20++ years of security work, I've seen it all.
To be specifically targeted, though, you'll have to be a huge
repository of valuable "I can make some good, quick cash out
of this" info.


>Also, always remember that the easiest way to get to the data is from the inside.
>It might not be politically correct to remind your clients that data (and access to it)
>should be protected internally too, but it *is* the easiest point of compromise.

Yep. The vast majority of data theft is an inside job.

>If it is important enough, protect it through the use of SQL Server, Access Control Lists (ACL)
>and encryption (at least to part of it, like SSN, Credit Card numbers, salaries or sales figures).

Agreed.

Regards,

Randall