Thread: How to secure PostgreSQL Data for distribute?
Dear All,
I need to distribute my application that use PostgreSQL as database to my customer. But I still have some questions in my mind on database security. I understand that everybody who get my application database will be have a full control permission on my database in case that PostgreSQL already installed on their computer and they are an administrator on PostgreSQL. So that mean data, structure and any ideas contain in database will does not secure on this point. Is my understanding correct?
What is the good way to make it all secure? Please advise.
On 8/17/05, Premsun Choltanwanich <Premsun@nsasia.co.th> wrote: > > Dear All, > > I need to distribute my application that use PostgreSQL as database to > my customer. But I still have some questions in my mind on database > security. I understand that everybody who get my application database will > be have a full control permission on my database in case that PostgreSQL > already installed on their computer and they are an administrator on > PostgreSQL. So that mean data, structure and any ideas contain in database > will does not secure on this point. Is my understanding correct? > > What is the good way to make it all secure? Please advise. If your customer has the root password of the machine that is running postgresql, there's nothing you can do in order to limit the access to the database structure. My recommendation is: show them the code, make it free!
On Thursday 18 Aug 2005 8:26 am, Premsun Choltanwanich wrote: > Dear All, > > I need to distribute my application that use PostgreSQL as > database to my customer. But I still have some questions in my mind > on database security. I understand that everybody who get my > application database will be have a full control permission on my > database in case that PostgreSQL already installed on their > computer and they are an administrator on PostgreSQL. So that mean > data, structure and any ideas contain in database will does not > secure on this point. Is my understanding correct? correct > > What is the good way to make it all secure? Please advise. no way - you could try to frighten him so much that he is afraid to touch anything. Or you could educate him so that he can creatively touch some parts of it and ease your burden of support and maintainence. Also enter into a proper license agreement with him so that he doesnt redistribute or hijack your ideas and your code. In the long run, if you follow this course, you will find that you will be able to serve your customers more effectively -- regards kg http://www.livejournal.com/users/lawgon tally ho! http://avsap.org.in ಇಂಡ್ಲಿನಕ್ಸ வாழ்க!
Premsun Choltanwanich wrote: > Dear All, > > I need to distribute my application that use PostgreSQL as > database to my customer. But I still have some questions in my mind on > database security. I understand that everybody who get my application > database will be have a full control permission on my database in case > that PostgreSQL already installed on their computer and they are an > administrator on PostgreSQL. So that mean data, structure and any > ideas contain in database will does not secure on this point. Is my > understanding correct? > > What is the good way to make it all secure? Please advise. If your customer can access the data, they can access the data. If they have control over the system, they can access the system. I guess you could build some sort of encryption into your client, but that seems pretty easy to circumvent. The short answer is that there is no good way to do this. If you are worried about this, the technology isn't going to save you. No technology will save you. Instead, I would highly suggest discussing the matter with an attourney and see if there is a legal remedy that might provide adequate protection. Best Wishes, Chris Travers Metatron Technology Consulting
> Premsun Choltanwanich wrote: > >> Dear All, >> I need to distribute my application that use PostgreSQL as >> database to my customer. But I still have some questions in my mind >> on database security. I understand that everybody who get my >> application database will be have a full control permission on my >> database in case that PostgreSQL already installed on their computer >> and they are an administrator on PostgreSQL. So that mean data, >> structure and any ideas contain in database will does not secure on >> this point. Is my understanding correct? >> What is the good way to make it all secure? Please advise. > > If your customer can access the data, they can access the data. If > they have control over the system, they can access the system. > > I guess you could build some sort of encryption into your client, but > that seems pretty easy to circumvent. > > The short answer is that there is no good way to do this. If you are > worried about this, the technology isn't going to save you. No > technology will save you. Instead, I would highly suggest discussing > the matter with an attourney and see if there is a legal remedy that > might provide adequate protection. It looks as though the Original Poster is in Thailand; if the customer is elsewhere in Asia, it might become challenging to find a context where "legal jurisdiction" or "legal remedy" are well enough defined for this to work out well. It may be that the prime issue is whether or not the customer is trustworthy or not; if the answer is "not," and legal remedies are not easy to get, then there are essentially two choices: 1. Do not distribute the database. The customer must access the database from the vendor's site. At the extreme end of this, the application would not directly submit database queries, but rather redefine the application in a client/server fashion where the customer side submits requests via some protocol that does not expose anything about the database schema. 2. If the customer is REALLY not able to be trusted, then maybe they can't be a customer. -- (reverse (concatenate 'string "moc.liamg" "@" "enworbbc")) http://cbbrowne.com/info/ If we were meant to fly, we wouldn't keep losing our luggage.
On 8/17/05, Premsun Choltanwanich <Premsun@nsasia.co.th> wrote: >> >> Dear All, >> >> I need to distribute my application that use PostgreSQL as database to >> my customer. But I still have some questions in my mind on database >> security. I understand that everybody who get my application database will >> be have a full control permission on my database in case that PostgreSQL >> already installed on their computer and they are an administrator on >> PostgreSQL. So that mean data, structure and any ideas contain in database >> will does not secure on this point. Is my understanding correct? >> >> What is the good way to make it all secure? Please advise. > > If it is "your" database, then I would not give them the database, but merely offer the information in the database as a "service." This, of course, can be implemented through the internet. That way, the rules that govern which customers can access and see which pieces of data can be implemented in the application itself so you wouldn't have give them all the data and structure the customer doesn't need to see if the rules governing how they access the database from the application are built into the application itself, with possibly authentication credentials stored in the database and the athentication mechanism implemented in the application. The only other way I can imagine where you can get beyond, atleast not showing the data they don't need to see, is querying the database to filter out the data 'belonging' to the customer, and export that filtered data to isolated tables comprising a new database that could then be given to the customer, watered down to what's relevant to them. If it's "your" database then, hey, don't give itto them. If it's really "their" database then you wouldn't really have a problem with giving them their data... But it's apparently not really "their" database so keep it to yourself and offer access to the data as a service. Ferindo -- Ferindo Middleton Chief Architect Sleekcollar.com