dcsimg
www.webdeveloper.com
Results 1 to 8 of 8

Thread: Confused about security

Hybrid View

  1. #1
    Join Date
    May 2004
    Posts
    5

    Confused about security

    Hi Guys,

    I have a client with a site with a back end SQL Server database where the users get to input and store medical data which is highly sensitive and personal. The input is all done via SSL pages.

    I am happy with that. However, they want to be able to use the data they are collecting for research purposes and therefore take regular transfers from the web database onto their own in-house sql server so that they can create a data mart for analysis.

    They are asking me to do this, but I am concerned about the security aspects because of the sensitivity of the data. How do I get an export of some kind securely to an in-house server?

    Do you think thats the best solution or would a secure connection to the web database maybe be a better idea ?

    I feel a bit out of my depth and would hate to get this wrong !

    For your info the site is written using Classic ASP and is hosted on a IIS server.

    Cheers, David.

  2. #2
    Join Date
    Nov 2003
    Location
    Jerryville, Tejas
    Posts
    11,715
    Please tell me you don't have that database server ON the Internet. If so your internal users are the least of your problem and the fact that you're using SSL is totally irrelevant.

    As far as giving them research data you could determine what can be used without compromising the sources then either create views of that or (probably better) extract it into their own server for analysis.

  3. #3
    Join Date
    May 2004
    Posts
    5
    Thanks for your reply.

    Why do you say that using SSL is irrelevant?

    My client's site is hosted by a company that offers them a SQL server database as well. They are using this. Do you see that as a problem ?
    I am assuming (maybe incorrectly) that it is patched/locked down enough. The idea of the SSL obviously is to encrypt the data stream as it goes from client to server. Isnt that enough?

    As far as the datamart is concerned, yes I want to extract it to put it on their own server. Its getting this extract to the server I am concerned about. Whatever the solution, its got to be something I can package up and automate somehow.

    David.

  4. #4
    Join Date
    Feb 2003
    Location
    Britain
    Posts
    1,335
    The reason he says SSL is irrelevant is that you didn't mention whether you are storing it encrypted. If you aren't, the most likely 'leak' is from someone with access to the database itself.

  5. #5
    Join Date
    May 2004
    Posts
    5
    I need to check that. I didnt set up the current configuration.

    For arguments sake, lets say that the data is stored encrypted within the database itself.

    How do I go about securely transferring any data that I extract from the database ?

  6. #6
    Join Date
    Feb 2003
    Location
    Britain
    Posts
    1,335
    Why can't you just download it on an HTTPS link, or download it in its encrypted form from the database and decrypt it on receipt?

  7. #7
    Join Date
    May 2004
    Posts
    5
    I had not considered the extract it encryted and decrypt it at the other end idea.

    I have no idea how to do that , but its given me an avenue to investigate at least. Thanks

  8. #8
    Join Date
    Nov 2003
    Location
    Jerryville, Tejas
    Posts
    11,715
    Why do you say that using SSL is irrelevant?
    Because SSL doesn't protect the database queries, just the web pages.
    My client's site is hosted by a company that offers them a SQL server database as well. They are using this. Do you see that as a problem ?
    Absolutely. If this data is so critical that they hesitate to give their own employees full access to it then why are they trusting some hosting company's employees with it?
    I am assuming (maybe incorrectly) that it is patched/locked down enough.
    First, that's a BIG assumption that should be backed up by BIG payments or BIG lawsuits if it proves untrue. Guess what, YOUR company is legally responsible for that data's safekeeping, not the hosting company.
    The idea of the SSL obviously is to encrypt the data stream as it goes from client to server. Isnt that enough?
    SSL isn't protecting the data stream between the application and database server at all. It's encrypting the stream between the application and the browser.
    As far as the datamart is concerned, yes I want to extract it to put it on their own server. Its getting this extract to the server I am concerned about. Whatever the solution, its got to be something I can package up and automate somehow.
    As cijori said, the database may be able to encrypt its traffic during a replication cycle. Replication can be automated in various ways. You need to get a good SQL Server consultant in to go over the possibilities with you.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles