Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
kwilliams
194 Posts |
 Posted - 2003-06-10 : 15:52:07
|
| Hello everyone,I'm finishing up an "Online Employment Application" app that uses SQL Server 7, ASP, JavaScript & VBScript. This DB contains a lot of information about each applicant that I need to keep secure, like their User Name, Password, Contact Info, Employment & Educational History, etc. I need to find a security/encryption method that can keep this information out of the hands of would-be hackers, employees, etc.I assumed (wrongly) that SQL would have some sort of built-in security/encryption method for entire databases. From a previous posting in this forum, I saw a link for third party solutions at: http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=1&tabid=2.We've already checked into the NetLib Encryptionizer, but it's pretty expensive for us, as we are a local government with a smaller budget. Are there any other cheaper solutions? Is there another way we should go about securing this information? Any suggestions on which way I should go would be very much appreciated. Thanks in advance.KWilliams |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-06-10 : 16:39:25
|
| There is lots of things you can to secure your database without encrypting anything. First of all, don't have SQL Server listen on port 1433. Second, use Windows Authentication. Third, apply all security cumulative patches that exist (SQL Server, Windows, etc...). Lock down your security to SQL Server by using stored procedures for access to the data for your application. Only grant EXECUTE permissions on these stored procedures. Do not grant table privileges unless absolutely necessary (dynamic sql requires it). Don't give out sysadmin role to anyone unless DBA or someone similar. Lock down who is an administrator on the machine. Lock down the firewall. Don't allow direct access (meaning not through the application) except through tools such as Citrix or have a firewall added with the MAC address of each machine that needs direct access.The point that I am trying to make is that you can secure your database without buying third party tools. Our environment is very secure here. We do not use third party tools to secure it and we do not encrypt anything as far as SQL Server goes (some registry entries are encrypted for the application).Tara |
 |
|
|
JimL
SQL Slinging Yak Ranger
1537 Posts |
Posted - 2003-06-10 : 16:43:34
|
| My personal opinion on encryption is DON’T.You are far better off using SQL Security and access Level controls than to encrypt the data.Remember the best hacker in the world cannot hack what they can’t get at.Tarra Beat me to the reply But I totaly agree with her.JimUsers <> LogicEdited by - jiml on 06/10/2003 16:45:10 |
|
|
|
MichaelP
Jedi Yak
2489 Posts |
Posted - 2003-06-10 : 16:53:39
|
| I agree with what the others haev said. Encryption just slows hackers down. Keep them out in the first place and you'll be fine.Michael<Yoda>Use the Search page you must. Find the answer you will.</Yoda> |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2003-06-10 : 19:31:55
|
And if they haven't convinced you yet, consider these issues too:Once the data in encrypted, it is useless until/unless it's decrypted. Therefore you can't search it, index it, or query it without decrypting it, and in doing so you basically make it insecure again. If you've never lost a Word or Excel document because you've lost the password, don't worry, you will someday.To decrypt the data, you need the password or key. Now you have to manage and secure THESE items in addition to the data. I guarantee you'll end up with a user who loses a password, or use a common password that will ultimately get out to someone you don't want to have it. Nor does it make sense to store passwords or keys in an application or a database, because the only way to keep them secure is...to encrypt them.  Using ANOTHER password or key... You may think otherwise, but some of the information on the employment application doesn't truly warrant encryption. Employment and educational history are almost never confidential anyway, and doesn't really do much harm if inadvertently revealed. The fact that a prospective employee is GIVING you that info more or less proves that. Not to mention if they've posted a resume on a web site; why should you be burdened with safeguarding something that's public information anyway? And if you're not encrypting the network traffic via HTTPS or some other means on your web pages, guess what? Someone can snatch it from that traffic far more easily than your database server. |
|
|
|
|
|
|
|
|
WANTED: SQL Encryption Suggestions Please!!!