Internet requirements set the stage for new database security designs

Internet requirements set the stage for new database security designs

Security in the Internet age is a two-way street: Agencies need to respect confidentiality while resisting unauthorized access.

With regard to databases, this manifests itself in several ways.

One strategy, called defense in depth, moves vital data as far as possible from access points. A typical arrangement uses intermediate databases to stage data, particularly data from legacy systems. In such a system, users have access to the front-end database and, through that database, can make queries of back-end systems. But they cannot directly access or modify those back-end systems.

The approach kills two birds with one stone. Staging data from an intermediate server is simpler than rewriting your mainframe application for Web access. The separation of the accessible data server from the inaccessible data store adds security.

Wild data

Mobile workers present another security concern. While supporting field personnel with chunks of database data, don't forget that the data is now out in the wild. You must take appropriate encryption precautions to keep that data secure and confidential, but these procedures should not interfere unduly with replicating the data to and from the mobile user.

Of course, databases themselves have a variety of security features, including internal encryption and authentication of users. Government databases often must have a National Security Agency rating of C2 or above'C2 being the minimum rating required by most government agencies.

Most of the major databases do have a C2 rating, including versions of IBM DB2 and those from Informix Corp., Oracle Corp. and Sybase Corp. And some versions of Informix, Oracle and Sybase databases have earned the more stringent B1 rating.

The situation for Microsoft Corp. products is a little more complicated. Windows NT 4.0 has the C2 rating, but the company's SQL Server does not.

'Because of the tight relationship between NT and SQL Server, Microsoft had felt that it wasn't necessary to pursue the C2 rating,' said Karen Watterson, a consultant and principal of the Watterson Database Group of San Diego. But Microsoft recently announced that it is submitting SQL Server 7.0 to Science Applications International Corp. for C2 evaluation.

'Edmund X. DeJesus

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.