They are more afraid of a) the impact on their clients (vulnerable people) and b) their reputation.

But I look at it and say, it seems just about every company going seems to get hacked and data exfiltrated - why is that? I guess someone has high enough level credentials and if those get compromised, the whole database can be taken. I take a bit more assurance from companies that state, "yes we have had a data breach but the data taken is encrypted and we know it only applies to x number of our customers and they have all been informed."

And along with that, it seems the fines are now getting to be really hefty for data breaches unless you can demonstrate you have done everything possible to prevent them.

Albert

>Hmmm, are they more afraid of data leaks and fined for that or are they trying to protect "biz secrets" ?
>
>IMO the company running your app should either take the plunge and get their own DBA or if they must out-source make certain the company doing the work is capable of paying the fines. This implies a size where such audits questions are missing the mark ;-)
>
>
>
>>Hi all,
>>
>>I am in the process of helping a client to select another company to replace my app - so I can semi-retire. I am being asked to help with questions re data security. I am going to try to keep this short so maybe you can tell me how you would approach it. I am trying to come up with an appropriate list of questions for this other company. They are probably going to recommend either SQL server or MariaDB for the backend.
>>
>>One other bit of background: current app uses VFP native tables, not SQL. Have improved the security of the data by doing column level encryption (my code tieing into .Net functions). Document associated with this application are NOT encrypted but the company would really like this (one of the reasons they started to look at other databases).
>>
>>To put the company's goals very simply:
>>- they would obviously like better control over access to the database
>>- if there were a data breach and someone exfiltrated the database files at the OS level or performed queries to try to pull down data, they would like:
>>- the sensitive columnar data to be encrypted (as it is now) and the documents to be encrypted
>>- obviously they would prefer that the data not be exfiltrated but maybe even limited (the MariaDB has a "database firewall" where you can limit the types of queries)
>>
>>If you were giving a high level overview of the security setup for a new client, what would you list as the things "you need to do"?
>>
>>Okay, as always, I have typed too much....and p.s., I know I have asked this a couple years back but times have changed - SQL 2019 has new encryption features for example.
>>
>>Albert