Database Security

  • Hi,

    Our Development team have all recently acquired laptops and of course the first thing each member wanted was to install a local SQL Server onto it with our Corporate Database to be able to do local Development.

    Can anyone recommend (if Management allow this) how to go about securing the .mdf files, .ldf file, back up files in some secure manner in case these laptops are lost, stolen etc.

    Also, in Enterprise Manager is there anyway to disable it for the local database ie. the files from above are secured but the Developer automatically leaves in their Login in creditionals in Enterprise Manager for auto login.

    Or ultimately is the plain answer to this scenario, absolutely now way?

    Thanking you in advance for your ideas and thoughts.

    Darren

  • developers with mobile computers (including home computers) should never be allowed to have a copy of any corporate database whatsoever if the db has any live data.

    they can have a copy of db schema, but never the live data, save for sample data but not from live.

    DON'T DO IT, its a cocktail for disaster


    Everything you can imagine is real.

  • Windows allows you to encrypt all data on a disk drive.  It's not difficult to do and this might be your best/first step.  Another option is to encrypt specific data within the database such as SSN's, by doing that even if the data gets stolen you've taken a huge step in protecting your customers.  I really cannot advocate enough encrypting data inside the database because in this age of wireless routers someone is eventually get access to your data or see it coming across the network if you allow your employees to take it home with them.

    More importantly this type of activity is a procedural nightmare so you should consider selling the need for rules/procedures to managment to govern it.

  • A small but important point: it depends. Windows Vista Enterprise and Ultimate has BitLocker and this is the only full disk encryption available on a Windows platform. EFS is not full disk encryption, if that's what you mean. With that said, full disk encryption products include Pointsec, SafeBoot, Utimaco, among others.

    As to whether or not they should be allowed to take home the data, this is a business decision, so it's a decision that must be made by the organization. The risk of disclosure needs to be analyzed (what is the impact to the company's reputation, what will the costs to notify, what are the potential costs for lawsuits, etc.) vs. the benefit gained by allowing them access.

    One option is to create either a santized version of the data or to generate data like what is in production. Tools like Visual Studio Team Edition for Database Professionals does this. Another option would be to use a VPN and allow them to connect to a development server, meaning there isn't actually any data residing on their laptops...

     

    K. Brian Kelley
    @kbriankelley

  • Using full scale disk encryption, like Pointsec, is a good start, but I don't think developers should have real corporate data on their laptops. Obfsucate or scramble the data for development purposes. They can use live data on a corporate QA server if they need it.

    I'd also not have them save passwords to any servers with live data. Audit this periodically with a manager or someone to check, but saving passwords to servers without real data is a nice convenience.

  • I agree. I would give them the database shell with no live data in it. If they need to they can create their own data.

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply