Re: Protecting database from administrators

• Previous message: Hari: "Re: SQL Training Sites"
• In reply to: Neil Pike: "Re: Protecting database from administrators"
• Next in thread: Neil Pike: "Re: Protecting database from administrators"
• Reply: Neil Pike: "Re: Protecting database from administrators"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 25 Apr 2004 18:33:36 +0200

Hi Neil

In transit means legally or illegally. If the DB is removed illegally and
there is no encryption while at rest it must still be secure. We do not
want to use separate encryption utilities to achieve this. These should be
part of the DB itself. On the matter of Word and Visio we have our own
proprietary Word Processor and Graphical Utility the files for which are
stored in secure databases. In fact, even if our clients use other word
processors the documents may be saved and accessed from within our
databases. Our clients do not like the MS offerings precisely because they
are insecure in transit. It is very clear that you are unaware of DBMS that
are not linked to OS security. All the security MS has offered is weak.
Let us take one simple example. You refer to EFS. This is only applicable
if the DB is lying on an NTFS segment. If it is attached to SQL Server on
FAT32 (e.g. Windows 98) the security is removed as FAT32 does not support
EFS. We have solved our problem by not using MSSQL. We have connected with
other vendors that supply SQL technology that meets our requirements and is
not dependent on the OS at all. I suggest you do some more research on this
matter. We have been digging around for well on one year now - specifically
on the security aspects. A cursory bit of research on your part is all that
is required. It is unethical to mention other vendors on this forum so we
will refrain from doing so.

Cheers

Andre

"Neil Pike" <neilpike@compuserve.com> wrote in message
news:VA.000061e4.0ddcae0a@compuserve.com...
> Andre,
>
> > In fact
> > while testing these other DB engines the vendors expressed amusement
that MS
> > had not considered such a simple requirement as security of the database
> > while in transit. We need the entire database inaccessible if stolen -
not
> > just the data, stored procedures and triggers. The file structure and
> > everything must be inaccesible without the correct authorisation being
> > submitted when the DB is opened.
>
> If securing a database "in transit" is what you need, then most backup
tools
> allow security/encryption to be applied. Or a separate encryption utility
can
> be used to secure the file.
>
> Would you expect Word and Visio to provide government-defence level
security
> features built in? I wouldn't expect so. But, on the occasions I am
sending
> secure/confidential information in these files to someone across a public
> network (e.g. internet email) I will encrypt them and communicate the key
to
> the other end via secure means. The same holds true for dbms files/data.
>
> > Whichever way you look at it the security in MSSQL is very weak indeed.
You
> > are fixated on the adminintrator having to have access to all parts of
the
> > system. This is not necessary at all with other DB systems.
>
> With ANY computer system, someone with admin level rights to the machine
is
> going to be able to get the dbms data files off a server/mainframe if they
want
> to. Therefore the whole file, or all the data in the file, needs to be
> encrypted. SQL Server doesn't offer anything built-in for the latter, but
for
> the former you can use Win2K or above's built-in EFS facility.
>
> > You may just
> > want to have a look at them if you are really concerned about security.
>
> Which dbms's are these, and how do they specifically implement the
security
> features that you need?
>
> I'm not saying SQL Server is the most "secure" dbms out there, but it
meets
> the requirements of 99% of customers out there. I don't believe any other
> mainstream dbms offers what you seem to be looking for.
>
>
> Neil Pike MVP/MCSE. Protech Computing Ltd
> Reply here - no email
> SQL FAQ (484 entries) see
> http://forumsb.compuserve.com/gvforums/UK/default.asp?SRV=MSDevApps
> (faqxxx.zip in lib 7)
> or www.ntfaq.com/Articles/Index.cfm?DepartmentID=800
> or www.sqlserverfaq.com
> or www.mssqlserver.com/faq
>

• Previous message: Hari: "Re: SQL Training Sites"
• In reply to: Neil Pike: "Re: Protecting database from administrators"
• Next in thread: Neil Pike: "Re: Protecting database from administrators"
• Reply: Neil Pike: "Re: Protecting database from administrators"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]