Translucent Databases

That is the key concept. If you understand it, don't buy the book. All you'll get are (very simple) examples of doing this, with the label "translucent" slapped all over. Although the book is promoted as being ahead of its time, the idea has been around for decades To its credit, the book is fair enough to mention this, citing the UNIX password file as "One of the first and best examples of a translucent database".

The book glosses over the fact that encrypting data fields requires more complex access control---each unique encryption, requires another password to manage if the data is ever to be recovered. This overhead is the main reason why encrypted data isn't more prevalent.

I was hoping the book might contain some approaches to reducing this fundamental problem. There are none.

The book attempts to fill space by describing additional methods of "translucency" that have nothing to do with encryption. Rather, they are methods of reducing the accuracy (apparently so that anyone who gains unauthorized access to the database will have less valuable information). Some of these methods are, well, kind of simplistic:

"Instead of storing the day, hour, minute and second, store just the day."

"Adding Fake Entries...unless you add a large number of fakes, the odds of discovering the real ones remain significant."

In addition, the book suggests replacing a person's height with "tall", "average" or "short".

All told, I am disappointed with this book, and I can't recommend it to anyone who does serious database work.

Rating:
Summary: Good material, poorly explained
Review: Although the book is both interesting and useful, it suffers from a worms-eye view. Explanation is given at the source-code and SQL level and not above that. There is no attempt to give the reader an overall picture of the algorithms being described; the book contains not one E-R diagram, schema diagram, or diagram of any other sort. I wound up drawing these for myself to make sense of the muddled explanation. Because I think the book contains valuable information, I hope that Mr. Wayner will correct this oversight in a second edition.

Rating:
Summary: Huh?
Review: I was very suprised by this book. After reading some of the other reviews it seemed the author may have hit on a new idea or something midly profound. Unfortunately, no.

This book is 13 chapters of Hashing functions and encryption functions. By hashing/or encrypting specific columns you can protect the data... Ok. No new concepts here. I could have read that in 3 paragraphs and saved myself an afternoon of reading and a few dollars.

This book is *not* essential for DBA, developers or anyone else with a basic understanding of hashing or encryption functions.
Perhaps this would be more appropriate in a college environment or for a beginer.

Rating:
Summary: Key concepts !=understanding && understanding !=judgement
Review: Key concepts are simple to get in the large. It's the details that will kill you. I knew the concepts, and the book filled in the details. The book is written well and is full of meat instead of the no brainers that some think.

Follow the strong recommendations and get the book.

Rating:
Summary: a must read for technology professionals
Review: Peter Wayner gives insight on storing, protecting and managing data, with a strong focus on privacy. This book is an easy read for anyone familiar with SQL based db systems, cryptography and an understanding of basic application architecture. Additionally, if one plans on working towards HIPAA compliance (term used loosely), this is a must read.

The concept of translucent databases is a step in the right direction for any entity interested in storing useful data without holding the overwhelming burden of liability over their own head. Working on the "other end" of the software development chain, it is clear to me that this concept will be a hard sell to business that aren't under the (HIPAA) gun.

Wayner's writing is extremely readable, with great emphasis on explanation. My lack of java experience was not a hindrance at all while reading this book.

This book is best shared between developers, architects, and decision makers, as it is their understanding that is crucial in selectively choosing what data is stored, what data is not, and what data is hidden and to whom. While there are few, if any Eureka! Moments in the book, there are concepts which will prove to be valuable as time progresses.

Rating:
Summary: a must read for technology professionals
Review: Peter Wayner gives insight on storing, protecting and managing data, with a strong focus on privacy. This book is an easy read for anyone familiar with SQL based db systems, cryptography and an understanding of basic application architecture. Additionally, if one plans on working towards HIPAA compliance (term used loosely), this is a must read.

The concept of translucent databases is a step in the right direction for any entity interested in storing useful data without holding the overwhelming burden of liability over their own head. Working on the "other end" of the software development chain, it is clear to me that this concept will be a hard sell to business that aren't under the (HIPAA) gun.

Wayner's writing is extremely readable, with great emphasis on explanation. My lack of java experience was not a hindrance at all while reading this book.

This book is best shared between developers, architects, and decision makers, as it is their understanding that is crucial in selectively choosing what data is stored, what data is not, and what data is hidden and to whom. While there are few, if any Eureka! Moments in the book, there are concepts which will prove to be valuable as time progresses.

Rating:
Summary: Good material, poorly explained
Review: This book contains an innovative and viable approach to securing databases, and one that I've not encountered anywhere else. In a nutshell the author provides techniques, based on standard SQL and Java, for securing sensitive data without restricting general access of less sensitive data to authorized users. The core of this approach is based on encryption and one-way functions, including PKI and secure hashing, and accepted authentication techniques such as digital signatures.

What makes this book unique is that while it's based on solid theoretical ground, the material is practical. As the techniques are discussed they are illustrated by 15 different scenarios, all of which contain problems faced by e-commerce, HIPAA and other high security environments, and code examples that show how to solve the problems. I like the way the author shows how to implement his solutions in common database environments (PostgreSQL, MySQL and Oracle - the approach should also work in the MS SQL Server environment). As I read this book I saw interesting possibilities for implementing role-based access controls and securing against SQL-based statistical attacks using the author's approach.

This book is essential reading for DBAs, system architects and IT security professionals, especially those in healthcare who are struggling with meeting HIPAA requirements, and in e-commerce who are challenged by protecting credit card and account information. This book shows the DBA how to secure his or her database, and the system architects and security professionals what is possible using SQL and Java. The book also has an associated web site which is supposed to have soft copies of all of the source code contained in the book. As of 6/25/02 the link to the source code is on the site, but the code itself is not yet available. When it is the value of this book will increase even more because of the time it will save by not having to manually create the code from scratch.

If you are new to the cryptographic techniques introduced in this book I recommend "Cryptography Decrypted" by H. X. Mel and Doris M. Baker, which is one of the best introductions to this complex subject. I also recommend reading "Secrets and Lies: Digital Security in a Networked World" by Bruce Schneier, which covers the technical, organizational and social aspects of security and gives a clear description of the technical underpinnings discussed in this book.

Rating:
Summary: Unique approach that turns theory into practical solutions
Review: This book contains an innovative and viable approach to securing databases, and one that I've not encountered anywhere else. In a nutshell the author provides techniques, based on standard SQL and Java, for securing sensitive data without restricting general access of less sensitive data to authorized users. The core of this approach is based on encryption and one-way functions, including PKI and secure hashing, and accepted authentication techniques such as digital signatures.

What makes this book unique is that while it's based on solid theoretical ground, the material is practical. As the techniques are discussed they are illustrated by 15 different scenarios, all of which contain problems faced by e-commerce, HIPAA and other high security environments, and code examples that show how to solve the problems. I like the way the author shows how to implement his solutions in common database environments (PostgreSQL, MySQL and Oracle - the approach should also work in the MS SQL Server environment). As I read this book I saw interesting possibilities for implementing role-based access controls and securing against SQL-based statistical attacks using the author's approach.

This book is essential reading for DBAs, system architects and IT security professionals, especially those in healthcare who are struggling with meeting HIPAA requirements, and in e-commerce who are challenged by protecting credit card and account information. This book shows the DBA how to secure his or her database, and the system architects and security professionals what is possible using SQL and Java. The book also has an associated web site which is supposed to have soft copies of all of the source code contained in the book. As of 6/25/02 the link to the source code is on the site, but the code itself is not yet available. When it is the value of this book will increase even more because of the time it will save by not having to manually create the code from scratch.

If you are new to the cryptographic techniques introduced in this book I recommend "Cryptography Decrypted" by H. X. Mel and Doris M. Baker, which is one of the best introductions to this complex subject. I also recommend reading "Secrets and Lies: Digital Security in a Networked World" by Bruce Schneier, which covers the technical, organizational and social aspects of security and gives a clear description of the technical underpinnings discussed in this book.

Rating:
Summary: A different way to look at databases
Review: This is a straight-forward, elegant look at a simple way to make databases more secure against attacks from both insiders and outsiders. One of the reviewers seems to feel that this simplicity is a limitation or a reason to avoid the book, but I am still amazed at what you can do with a few simple functions. The raw idea may not be new, but the applications are inventive. The examples for protecting the names and schedules of babysitters is still a real eye opener for me.

Rating:
Summary: An accessible and pragmatic resource for working developers
Review: Translucent Databases deals with the issue of building applications that store and manipulate sensitive data in a very accessible and pragmatic fashion.

It provides working developers with a practical understanding of the fundaments of cryptography and stenography as applied to the specific needs of data storage, retrieval and manipulation.

The author has been careful to support major concepts with examples, discussions, real-world rationales, supporting mathematics and recommendations for additional reading. In particular, developers who do not have formal computer science background will appreciate the clear explanations of the base mechanics of the various hashing and private/public key schemes.

Given the profusion of applications that store sensitive data, this book is a timely guide that helps developers quickly solve problems in time-constrained development environments.

Additionally, the author writes in a highly-readable style that makes the topic material less fearsome for timid readers who fear daunting subjects like cryptography.

The book is not perfect - it contains more than its fair share of typos and could benefit from tighter editing. However, these are minor flaws that do not compromise the utility of the book.