"How does your architecture work in practice? Encrypting items won't help when the keys need to be stored in the same place to access the data. The attackers will just go after that box instead of the DB."
Simple. Don't store a key with the data. A credit bureau only incurs liability by knowing the PII for hundreds of millions of people readable from one location - that they provide to everyone who asks!
How does a company create a better architecture? Separation of duties and responsibilities, defense in depth, authentication and authorization, cryptography, updating software, etc. Hire a security team to help with vulnerability analysis, design reviews, due diligence, and threat modeling.
This gets solved every day at many companies.
"You can guard it more carefully, but the point is that some box somewhere needs access to a substantial amount of the data at any given time. It's the nature of a credit bureau."
Yes, but the elephant in the room is that a credit bureau possesses that information in usable form. This can be taken care of by key management, where the individual owns the key and only one key is able to exist per individual at a time. Then, only those credit grantors who have been authorized by the individual are able to update or view the data.
In cryptography the operating assumption should always be that everything is known about your data except your key material, which is kept private.
Yes, but the elephant in the room is that a credit bureau possesses that information in usable form. This can be taken care of by key management, where the individual owns the key and only one key is able to exist per individual at a time. Then, only those credit grantors who have been authorized by the individual are able to update or view the data.
This is what I mean by not meeting business goals. It is clearly a bad idea to give Grandma an irreplaceable key. But that's what this proposal is.
Wrong. It is your interpretation that this is an irreplaceable key. You are trying to say that a design is wrong, because you believe that your implementation would be wrong.
Uniqueness is a different property from replaceability. And, replaceability is not necessarily the correct property to design for, key rotation and recovery from loss are the properties. What you want is the ability to rotate keys and recover from the loss of keys.
Simple. Don't store a key with the data. A credit bureau only incurs liability by knowing the PII for hundreds of millions of people readable from one location - that they provide to everyone who asks!
How does a company create a better architecture? Separation of duties and responsibilities, defense in depth, authentication and authorization, cryptography, updating software, etc. Hire a security team to help with vulnerability analysis, design reviews, due diligence, and threat modeling.
This gets solved every day at many companies.
"You can guard it more carefully, but the point is that some box somewhere needs access to a substantial amount of the data at any given time. It's the nature of a credit bureau."
Yes, but the elephant in the room is that a credit bureau possesses that information in usable form. This can be taken care of by key management, where the individual owns the key and only one key is able to exist per individual at a time. Then, only those credit grantors who have been authorized by the individual are able to update or view the data.
In cryptography the operating assumption should always be that everything is known about your data except your key material, which is kept private.