Re: MSDE Security (aka users looking at my apps database)

From: Andrea Montanari (andrea.sqlDMO_at_virgilio.it)
Date: 08/07/04 

Date: Sat, 7 Aug 2004 15:59:13 +0200

hi Matt,
"Unicorn" <unicorn@somewhere.com> ha scritto nel messaggio
news:epy96HEfEHA.2604@TK2MSFTNGP12.phx.gbl...
> Only One JASON, FORGET IT.
>
> I have been called in more than once to untangle all sorts of developer
> installed security, I do it and will continue to do it.
>
> Developers who think that business data should be locked up from the
> Business should be locked up themselves. If your data is proprietary,
> then I suggest you create your own encrypted storage system! But give up
on
> trying to lock the rightful owners of data out from it by denying them
> access to the database.

not to start a flame, but just a consideration...

I think it really depends... if you "sell" data, that's to say an aggregated
and/or particular kind of sensible data, perhaps having it not accessible to
external application but your(s), could be a legitimated pray for a
particular protection system, and perhaps external encryption is a way to go
for, as you already pointed out... perhaps not the best as it will be not
integrated.. but acceptable...
the same is true for sensible code you provide in form of stored
procedures/udf/views...
let's think about a genious tool, RAC by SQL Server MVP Thanh Ngo (AKA OJ)..
my understanding is it provides a set of stored procedures to manipulate
data, with unique features like CROSSTAB rotations and so on... this is
valuable code and think is provided as encrypted code... as it should
but you actually have no way to protect your metaschema(s) the same way...
even if SQL Server encryption has been defeated... I do personally think
this could be a valuable feature in some scenario...

> Your schema etc. Might be your work, but locking out legitimate uses of
> the data is in my opinion about as quick a way to get your application
> dumped as you can get. Companies expect to be able to throw a copy of
> Crystal Reports onto a machine and interogate the database for the
> information that they want, in the manner that they want it, when they
want
> it.

this could violate certain EULAs and/or rules, both private and/or
legislative...
recently I've been asked to buy a mailing for german (potential)
customers... the selling company provided a well defined license for 1 use,
n uses of the same data... don't know what kind of database they would
provide as our choice went to mailing labels directly, just for one shot...
but this scenario certainly does not grant you the possibility for multi
server analysis and or use...
another issue... think to privacy protection for sensible data... medical
data... there are both european and USA (as other countries too..) acts that
state and (strictly) discipline the use of this kind of data...
a recent article by Sean Maloney on SQL Server Magazine
(http://www.winnetmag.com/SQLServer/Article/ArticleID/42731/42731.html for
subscribers only) presents a way to protect data from unlegitimated users
with row level security granularity.. but if you manually bypass that kind
of security (which you can, as a syasdmin) you are elegible for legal
repercussions...

> As foir competitors using your schema in their own products, you must be
> joking! They might however write conversion routines to 'upgrade' from
your
> product. This is a fairly normal business practice.
>

agree =;-D

again... not to flame but just my 2 (euro)cents 

-- 
Andrea Montanari (Microsoft MVP - SQL Server)
http://www.asql.biz/DbaMgr.shtm        http://italy.mvps.org
DbaMgr2k ver 0.8.0  -  DbaMgr ver 0.54.0
(my vb6+sql-dmo little try to provide MS MSDE 1.0 and MSDE 2000 a visual
interface)
--------- remove DMO to reply

Relevant Pages

  • Re: SQL Data Encrytpion
    ... I'm not a front-end developer, but if I was architecting the system, I ... I don't think there are plans to provide data encryption support in SQL ... Looking for a SQL Server replication book? ...
    (microsoft.public.sqlserver.server)
  • Re: SQL or Access DB
    ... As far as encryption goes though... ... with Sql Server you can use SQL DMO and encrypt your stored procedures ... installation - Security was absolutely critical and in most instances, ... > then we create a nice gui around this database and sell it to automotive ...
    (microsoft.public.dotnet.languages.vb)
  • Available dotnet Consultants : 217-241-2015
    ... Microsoft Technologies and SQL Server 2005. ... Senior .NET Developer ... Server 2000, IIS, and Windows 2000. ...
    (microsoft.public.dotnet.languages.csharp)
  • ANN: San Diego .NET Technical Summit, May 21 2005, brought to you by SanDiegoDotNet.com
    ... Conference Date ... The San Diego Technical Summit will be held Saturday May ... SQL Server 2005 for Developers ... productivity enhancements for the database developer. ...
    (microsoft.public.dotnet.general)
  • Re: New SQL Book Scam or Not?
    ... Mike Epprecht, Microsoft SQL Server MVP ... Specialist SQL Server Solutions and Consulting ... >> If you are a SQL Server developer, a .NET developer, or a Development ...
    (microsoft.public.sqlserver.server)