Thread: Secure DB design ?
Hello, Im a dutch student, working on a project where security of user information stored in a database is priority 1. So the database must be designed with high security in mind. I've searched the net very intesive, but did'nt find a good recource which can help me with "secure database design". I hope someone can help me on such a recource, a good book may help too. Thanx in advange.
On Fri, Sep 13, 2002 at 20:47:03 +0200, Jan Vaartjes <j.vaartjes@quicknet.nl> wrote: > Hello, > > Im a dutch student, working on a project where security of user > information stored in a database is priority 1. So the database > must be designed with high security in mind. I've searched the > net very intesive, but did'nt find a good recource which can help > me with "secure database design". I hope someone can help me on > such a recource, a good book may help too. > Thanx in advange. Translucent Databases by Peter Wayner describes using encryption and hashing to secure data in databases. There are limits on what you can do with this, but the methods used can be helpful in some cases.
Jan Vaartjes writes: > Im a dutch student, working on a project where security of user > information stored in a database is priority 1. So the database must > be designed with high security in mind. I've searched the net very > intesive, but did'nt find a good recource which can help me with > "secure database design". I hope someone can help me on such a > recource, a good book may help too. The first thing you will need to decide is: What do you mean by security? There is the integrity of the data: Does the database system preserve the data accurately, or does it have bugs that corrupt data? There is identification: How sure are you (or your database system) that a user of the system is who they say they are? There is authorization: Does the database system (or layers you put on top of it) provide good enough access control for your application, both in what they can read and change? Bugs or design errors in the system can sometimes circumvent the access controls. There is transport privacy: Is the user's traffic secure enough against eavesdropping? Depending on your application, you may have to address other types of security. Unfortunately, "security" by itself is so vague as to not be a useful metric of databaes design. -- Michael