Internet requirements set the stage for new database security designs

Internet requirements set the stage for new database security designs

Security in the Internet age is a two-way street: Agencies need to respect confidentiality while resisting unauthorized access.

With regard to databases, this manifests itself in several ways.

One strategy, called defense in depth, moves vital data as far as possible from access points. A typical arrangement uses intermediate databases to stage data, particularly data from legacy systems. In such a system, users have access to the front-end database and, through that database, can make queries of back-end systems. But they cannot directly access or modify those back-end systems.


The approach kills two birds with one stone. Staging the data from an intermediate server is simpler than rewriting your mainframe application for Web access. And the separation of the accessible data server from the inaccessible data store adds security.

Wild data

Mobile workers present another security concern. While supporting field personnel with chunks of database data, don't forget that the data is now out in the wild. You must take appropriate encryption precautions to keep that data secure and confidential, but these procedures should not interfere unduly with replicating the data to and from the mobile user.

Of course, databases themselves have a variety of security features, including internal encryption and authentication of users. Government databases must often have a National Security Agency rating of C2 or above'C2 being the minimum rating required by most government agencies.

Most of the major databases do have a C2 rating, including versions of IBM DB2 and those from Informix Corp., Oracle Corp. and Sybase Corp. And some versions of Informix , Oracle and Sybase databases have earned the more stringent B1 rating.

The situation for Microsoft Corp. products is a little more complicated. Windows NT 4.0 has the C2 rating, but the company's SQL Server does not.


'Because of the tight relationship between NT and SQL Server, Microsoft had felt that it wasn't necessary to pursue the C2 rating,' said Karen Watterson, editor of SQL Server Professional. But Microsoft recently announced that it is submitting SQL Server 7.0 to Science Applications International Corp. for C2 evaluation.


'Edmund X. DeJesus

inside gcn

  • network

    6 growing threats to network security

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group