I would like to encrypt my TM data for security purposes since the data base contains a lot of client confidential information. I use the latest version of TM.
My first question is how secure is the data given that I need to log in to access it using TM? Is further encryption necessary?
If encryption is advisable, can that be done to the TM data using a program such as TruCrypt? Will it interfere with the operation of the program?
Thanks as always.
Time Matters Data inside your network:
Your network should be secured properly in a way that outside, unpermitted connections cannot be made to your servers. This is the tasks of an experienced networking administrator or vendor. Inside your network, only those with security permissions and access to passwords (Time Matters or SQL Management Studio) should be able to access your data. If your network, servers, SQL Server and Time Matters security are configured properly your data will be very secure. Encryption is not needed.
Time Matters Data/Documents outside of your network:
Assuming the above is completed, encryption should only be needed when data is being transfered outside of your network over the internet or via laptop/USB where it could be intercepted.
I recommend only using tools such as GotoMyPC or TeamViewer to get to Time Matters data remotely, following any network connection setup such as VPN. If you're really worried about data security, never carry your data out on a laptop or USB drive.
Syncing (ex. over the air Exchange sync):
I'm not 100% sure if an exchange sync is encrypted. I'm also not sure if all phones/tablets encrypt data on their hard drive (I do beleive apple products do). This area might be best suited for someone to answer who has more experience in mobile syncing than myself.
Of course these responses are in general and may not be suited for your exact setup or situation. I do hope it can help you in some way. There are a few CIC's who are much more experienced in this area than I and maybe they will chime in.
Michael W. Gaines Jr. Gaines Database ConsultingTime Matters CIC Florence, SC 29501 (843) 615-8084 email@example.com://www.gainesconsulting.com Proud Southeastern Affiliate of Eastern Legal Systems, LLChttp://www.easternlegalsystems.com
Why not use built in SQL data encryption?
Mark Deal (CIC/Moderator)Document & Data Solutions, LLCTMTools, LLCAtlanta, Georgiahttp://firstname.lastname@example.org(770) 888-1940Time Matters | HotDocs | PCLaw | TMTools | DDSLink | Worldox
Considering I've never attempted to encrypt data in a Time Matters database, would SQL encryption at the database or column level not break the Time Matters application? I would think encryption would require application source code revisions and database structure revisions to column types and lengths etc.
Even if this were possible, I would think it would create a performance nightmare as well as break any third-party reporting utilities.
Thanks to everyone who replied. I guess I need to refine my question a bit.
My concern is not sending data off site, but the possibility that someone could get into the office and physically take my computer. The chance seems a bit remote, but on the other hand, it would be difficult to explain to clients why their information was so easily compromised.
Is the SQL data of TM encrypted within the program. I checked the setup options and could only find one that referred to encryption of messages outside of the program. Maybe I don't have a problem.
I run TM 11.1 on a single machine - no server.
concern is not sending data off site, but the possibility that someone
could get into the office and physically take my computer. The chance
seems a bit remote, but on the other hand, it would be difficult to
explain to clients why their information was so easily compromised.
the SQL data of TM encrypted within the program. I checked the setup
options and could only find one that referred to encryption of messages
outside of the program. Maybe I don't have a problem.
I would go with a strong password to login in to your computer and a secure password to login to Time Matters. There are also other things that can be done to prevent someone getting to your data by rebooting the computer outside of your installed windows.
If you really want to prevent access you could get a machine that has a removable hard drive and pull the hard drive each night and store it in a safe.
Caren Schwartz (Moderator/CIC)
& Time &
Cents Consultants, LLC
www.3545consulting.com / www.timeandcents.com
Software for Managing Time, Money
Time Matters, Billing Matters,
Billing Matters Plus, PC Law CIC
There are a number of options, none of them completely satisfactory, but each level enhances security:
(1) Windows password needs to be robust, and change every 90 days
(2) Desktops need to lock on Screensaver and reqire login after 10 minutes of inactivity
(3) Supply ACCESS TIMES for Logins in Time Matters
(4) Apply strong Login Password, and setup for required change every 90 days.
(5) In SQL, modify the SA Password to something other than the DEFAULT.
(6) Contact a consultant about disabling Windows Authentication on the SQL Database.
(7) Consider moving SQL Server to a VIRTUAL SERVER and setting it up so that only a limited set of users have access. There may be a way to use BITLOCKER on that virtual server for added security.
Of course, nothing prevents one of your OWN users from accessing the data. On that level, I would also configure Time Matters security and decide to limit access by certain users.
I looked at this question some time ago, and here's what I concluded: Using the data encryption tools of SQL Server (TDE) in some ways is the most elegant and certainly the most tested, but I was concerned about the complexity and the possible problems with replicating the database to a laptop (which is mostly where the encryption would be necessary). I have not yet implemented the SQL TDE, but will consider bringing in a contractor to do that when I change my computers next. I also concluded that TrueCrypt would be a satisfactory way to go. There might be a performance hit, since it's OTFE, but if the use is limited to laptops, that might not be a show stopper. I haven't implemented that, either, because my current equipment has disk security linked to separate security chips (real or emulated); that layer reportedly could be bypassed by someone with special knowledge, but that person is not likely to care about my TM data, so, for now, the threat assessment says I don't need to put the TM data on an encrypted volume. If TrueCrypt might work for you, you might experiment first with the tutor database.
Joseph Nierenberg Nierenberg Employment Law, PLLC
Consulting – Litigation – Training