Post reply

database security

  • February 21, 2013 at 2:28 am

    #271229

    I am developing an application which uses sql server express.so there are so many database which need to have security.So any customer who installs our application will get those database in his PC.So he can see the data present the database. So how can i make it safer so that data present in the database will not be seen to anyone.

  • February 21, 2013 at 6:16 am

    #1589913

    Once your data is on someone's computer your data is no longer protected from others.

    I would recommend encrypting the important data items and develop a key management scheme that would make it very hard for someone to see your data without expending lots of effort in trying to crack your encryption key(s).

    The probability of survival is inversely proportional to the angle of arrival.

  • February 23, 2013 at 4:32 am

    #1590595

    Which is the best method by which i can do encryption?

  • February 28, 2013 at 12:13 am

    #1591883

    Anyone plz reply me

  • February 28, 2013 at 3:25 am

    #1591917

    It's a complex topic.

    Encrypt values of sensitive columns with symmetric-key encryption (cell-level encryption).

    Use Transparent Database Encryption to encrypt files (data files, log files, and backup files).

    Additionally, you could use "WITH ENCRIPTION" on your code (procedures, functions, views, triggers) so the source code is not easily visible.

    Permissions should be tight (minimal), also.

    _____________________________________________________
    Microsoft Certified Master: SQL Server 2008
    XDetails Addin - for SQL Developers
    blog.sqlxdetails.com - Transaction log myths

  • February 28, 2013 at 3:28 am

    #1591919

    However bear in mind that anyone who is an administrator on the machine that runs SQL can remove the TDE and decrypt any column encrypted by key or cert and that procedures created WITH ENCRYPTION can be 'decrypted' in less than 5 min, it's not encryption, it's obfuscation.

    If you put the DB onto someone's machine, that person has full control and you cannot prevent that.

    Encrypt in the app if you need to ensure that the administrators of the server where the DB sits must not have access to the data. Of course then you have the fun of securing the keys, which is not a trivial exercise.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply