Internet requirements set the stage for new database security designs

Internet requirements set the stage for new database security designs

Security in the Internet age is a two-way street: Agencies need to respect confidentiality while resisting unauthorized access.

With regard to databases, this manifests itself in several ways.

One strategy, called defense in depth, moves vital data as far as possible from access points. A typical arrangement uses intermediate databases to stage data, particularly data from legacy systems. In such a system, users have access to the front-end database and, through that database, can make queries of back-end systems. But they cannot directly access or modify those back-end systems.

The approach kills two birds with one stone. Staging the data from an intermediate server is simpler than rewriting your mainframe application for Web access. And the separation of the accessible data server from the inaccessible data store adds security.

Wild data

Mobile workers present another security concern. While supporting field personnel with chunks of database data, don't forget that the data is now out in the wild. You must take appropriate encryption precautions to keep that data secure and confidential, but these procedures should not interfere unduly with replicating the data to and from the mobile user.

Of course, databases themselves have a variety of security features, including internal encryption and authentication of users. Government databases must often have a National Security Agency rating of C2 or above'C2 being the minimum rating required by most government agencies.

Most of the major databases do have a C2 rating, including versions of IBM DB2 and those from Informix Corp., Oracle Corp. and Sybase Corp. And some versions of Informix , Oracle and Sybase databases have earned the more stringent B1 rating.

The situation for Microsoft Corp. products is a little more complicated. Windows NT 4.0 has the C2 rating, but the company's SQL Server does not.

'Because of the tight relationship between NT and SQL Server, Microsoft had felt that it wasn't necessary to pursue the C2 rating,' said Karen Watterson, editor of SQL Server Professional. But Microsoft recently announced that it is submitting SQL Server 7.0 to Science Applications International Corp. for C2 evaluation.

'Edmund X. DeJesus


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.