Re: Securing 3rd party connections to Oracle DB's?
- From: mike@xxxxxxxxxxxxxxx
- Date: 26 Aug 2008 13:25:48 -0000
On the technical side (depending on the evironment of course), I would look at abstracting the access rather than direct access, suggesting web services for exposing and controlling access to the data: SSL for transport security and certificate based or usernane/password authentication for each client. On the database side, match the certificates or userId to a client specific DB user account that only has access to view the data for that client, thus ensuring that each client can only access the data they need to access. Remember to make sure that all web services methods are properly validating input parameters to prevent SQL Injection. Restricting by IP address can help too, but certainly do not rely on this to prevent cross-client access to data.
I would not consider exposing the database directly to untrusted clients as your post seems to suggest (apologies if i've misread).
For non-technical controls, always ensure an appropriate contract is in place with proper info security clauses such as nondisclosure, protection of data, acceptable use etc.
hth
Mike
- Follow-Ups:
- I need a company running web security audit...
- From: Eddy Alexandre
- I need a company running web security audit...
- Prev by Date: Re: NISPOM Resources
- Next by Date: I need a company running web security audit...
- Previous by thread: Securing 3rd party connections to Oracle DB's?
- Next by thread: I need a company running web security audit...
- Index(es):
Relevant Pages
|
