Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2000 Forums
 Import/Export (DTS) and Replication (2000)
 Is DTS Secure for credit card backup to Access?

Author  Topic 

gburns
Starting Member

9 Posts

Posted - 2002-06-02 : 15:43:06
Hello,

We need to backup SQL Server 7.0 data to a local pc running MS Access. We have used DTS in the past and that is with what I am most familiar.

Our new backup job now has credit card numbers and order information and I do not know if DTS is able to go from SQL Server to Access securely. And I do not want to find out the hard way!

Can somebody please give me hints here? Will we be exposing credit card numbers if we backup using DTS in this manner? Is there an equally as effective, but more secure alternative?

Any responses greatly appreciated.

Thanks
gburns

Merkin
Funky Drop Bear Fearing SQL Dude!

4970 Posts

Posted - 2002-06-02 : 19:10:37
Any system is only as secure as it's least secure part.
If you are backing up to Access, DTS won't be the weak link.

Damian
Go to Top of Page

dataphile
Yak Posting Veteran

71 Posts

Posted - 2002-06-03 : 09:05:01
Well said.

Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

4970 Posts

Posted - 2002-06-03 : 09:19:56
Thank you!

And welcome to the SQLTeam school of artificial post count exaggeration

Damian
Go to Top of Page

Nazim
A custom title

1408 Posts

Posted - 2002-06-03 : 10:17:21
yeah, very well said
quote:

And welcome to the SQLTeam school of artificial post count exaggeration




--------------------------------------------------------------
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

4970 Posts

Posted - 2002-06-03 : 10:21:33
Nazim is the president of it

Damian
Go to Top of Page

Nazim
A custom title

1408 Posts

Posted - 2002-06-03 : 10:27:56
Oh! this is news to Me

Merkin is the Founding member and the King Maker of it


quote:

Nazim is the president of it



--------------------------------------------------------------


Edited by - Nazim on 06/03/2002 10:29:03
Go to Top of Page

gburns
Starting Member

9 Posts

Posted - 2002-06-03 : 15:36:19
I am concerned about the internet link between my hosted SQL Server and my home PC with Access.

I can secure the Access backup database.

I was curious to know if you experts knew if DTS was secure for this type of transfer.

Thanks,
gburns

Go to Top of Page

robvolk
Most Valuable Yak

15732 Posts

Posted - 2002-06-03 : 15:46:19
The SQL Server Client Network utility has an option that allows you to encrypt traffic. I don't know if that will affect pushing data into Access though, but it will work for pulling data from SQL Server. Look for a checkbox labeled "Force protocol encryption". You will need to configure your connection using Multi-protocol networking.

Why not just dump the data into a local Access database on the SQL Server, WinZip it (with a password if you like) and either put it on a floppy, or email it home? It's totally secure and probably faster. You don't have to match the exact formats, just get the critical tables then import them into your home database.

Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

4970 Posts

Posted - 2002-06-03 : 19:25:10
If you want to be really secure. Can you establish a VPN connection to your SQL Server ? Or is it on an ISP ?

If it is just on an ISP I would say two things.

1. What the hell are you doing storing credit card details on an ISP shared server ?
2. The transfer back to your local access copy won't be the weakest link.



Damian
Go to Top of Page

gburns
Starting Member

9 Posts

Posted - 2002-06-04 : 04:33:29
quote:

1. What the hell are you doing storing credit card details on an ISP shared server ?



Guilty. And you have my attention!

And I feel really lame, because I do not understand the alternatives.

I want to be proactive about this. Can you direct me to any more resources so that we can correct this ASAP.

gburns

Go to Top of Page

gburns
Starting Member

9 Posts

Posted - 2002-06-04 : 04:36:59
Merkin,

In the scenario that I presented what is the weakest link?

Thanks,
gburns

Go to Top of Page

gburns
Starting Member

9 Posts

Posted - 2002-06-04 : 04:48:47
quote:

The SQL Server Client Network utility has an option that allows you to encrypt traffic. I don't know if that will affect pushing data into Access though, but it will work for pulling data from SQL Server. Look for a checkbox labeled "Force protocol encryption". You will need to configure your connection using Multi-protocol networking.



robvolk,

Thanks for the tip. Encryption worked well and was readable on the Access end.

gburns.

Go to Top of Page

JamesH
Posting Yak Master

149 Posts

Posted - 2002-06-04 : 16:22:14
Please post the name of the idiot of a company that is putting Credit Card Numbers in an Access Database, I want to be the first to drop any account I might have with them and definately want to sell any stock I may hold.

Geeez, I've been working in this industry for over 12 years and I'm still floored by the idiots that are paid to do nothing more than create problems and bad reps for the rest of us.

This topic should've ended with Merkin's response and by now you should've realized that it's time to do it right before you find out how un-secure your Access Database is...

BTW, Did you know that most hacking/Fraud/Theft etc. on Corporate Systems comes from within the organization???

JamesH.

Go to Top of Page

gburns
Starting Member

9 Posts

Posted - 2002-06-04 : 17:10:43
quote:

by now you should've realized that it's time to do it right before you find out how un-secure your Access Database is...



JamesH,

Thanks for your message. In some ways I expected a flame. Yes I am still a newbie, but at least we are being proactive about security.

I posted here to learn what the "right thing" to do was. I received some good information here, but I still have questions about what exactly is the "right thing".

I think many of you old pros host your SQL Server data locally and can do backups in the traditional manner. Unfortunately we do not have that luxury, because we have a limited budget. Maybe I was wrong, but I thought that because of this we had to outsource the SQL Server hosting. Which means possible security issues with the hosting company staff and with any backups that we perform over the internet.

Thanks to robvolk, I addressed the security of the internet transmission of the backup data with the SQL Server encryption setting. I still have a concern about the hosting company staff. However we have a good procedure to secure the Access backup data on my home pc. (Access is never used for live transactions, the backup data is saved to tape and locked up and then the backup file is deleted/cleaned on the hard disk).

I will keep looking for alternatives.

Thanks,
gburns

Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

4970 Posts

Posted - 2002-06-04 : 20:34:17
Hi

OK, now all the flaming is out of the way

The weakest part of this scenario now is probably the ISP database.
Not only is your data viewable by the ISP staff, but you are on a shared database server with all their other customers.

My advice would be this (and you won't like it).
You basically have two options.

1. Bring the database and hosting in house, hire a really good DBA and/or security consultant to secure it and maintain it.
This should include firewalling your DB server off from the internet, installing IDS etc etc (have a look here for some more info given the recent SQL server worm).

2. Don't store credit cards. It is perfectly acceptable for people to re-enter their details with each purchase.

I realise your budget may be tight, but to do this thing right you have to spend some money. Put it this way, would YOU feel comfortable buying from a vendor that skimped on YOUR credit card security ?

Damian
Go to Top of Page

rrb
SQLTeam Poet Laureate

1479 Posts

Posted - 2002-06-04 : 23:34:32
and without wanting to artificially exaggerate my postings...can I suggest that I suspect Merkin's second option is probably your best and cheapest bet....

Sorry about all the flaming, but some of us don't get out much...

Please feel free to continue asking so we can help. Good to hear you're doing something about it. I can guarantee that there will be plenty more people with your starting point who aren't...
--
I hope that when I die someone will say of me "That guy sure owed me a lot of money"

Edited by - rrb on 06/04/2002 23:35:42
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

4970 Posts

Posted - 2002-06-05 : 00:38:58
quote:

and without wanting to artificially exaggerate my postings



Yeah, you would never try that would you

Damian
Go to Top of Page

rrb
SQLTeam Poet Laureate

1479 Posts

Posted - 2002-06-05 : 00:46:13
quote:

Yeah, you would never try that would you
Damian



Of course not - mind you it works better if you post then delete then post.....he he he... 500 here I come!

light goes on...light goes off...light goes on...

or the version

post goes in...post goes out...post goes in...

--
I hope that when I die someone will say of me "That guy sure owed me a lot of money"
Go to Top of Page

robvolk
Most Valuable Yak

15732 Posts

Posted - 2002-06-05 : 07:31:38
quote:
post goes in...post goes out...post goes in...

Oh, how I could TWIST that...

Go to Top of Page

JamesH
Posting Yak Master

149 Posts

Posted - 2002-06-05 : 08:12:05
Sorry about the flaming, but taking shortcuts with security is inexcusable. If a project is not worth doing right, then it's not worth doing.

Merkin is right. Bring Data in-house it will probably be cheaper in the long run anyway and storing the CC numbers should not be done and would set bells and whistles off with most Auditors.

Even if you're a small company, you should plan for growth 3-5 years out. Who, on this board, wants to build servers every year to account for bad planning on their part and then having the joy of explaining over and over again that you are inept with planning.

As for not getting out much, maybe rrb needs to get a hobby without a keyboard.

Good Luck and don't take the blasting personally, I hope your project is successful.


JamesH.

Go to Top of Page
  Previous Page&nsp;  Next Page

- Advertisement -