| Subject | advice re securing a database |
|---|---|
| Author | martin |
| Post date | 2010-05-03T05:50:38Z |
hi there
we develop a software package (with a firebird backend) for external clients. but we also use this software internally.
i am being asked to secure our internal database so that the developers cannot have free reign to it. this is because management want to store sensitive data inside with confidence.
the problem i have is that the SYSDBA connection credentials are held within our application codebase in order for the app to connect to the database etc.
ive been trying to think through this problem and have come up with a couple of solutions:
i) Somehow restrict access to the database at a windows file system level. so that even if the developers know the password they will have no read/write access the database. but i am thinking that if port 3050 is open they could just gain access via an SQL client such as IBExpert etc? (this would be the best, least impact solution)
2) Change the Firebird user which the application uses to connect from SYSDBA to a new custom user that somehow restricts viewing of data??? (I dont even know if this is possible)
3) Change the SYSDBA password and encrypt it with some salt do that the developers have no idea what the password is. (not great, as this would mean changing a lot of code on our part etc.)
i was wondering if anybody could offer some advice, thanks
we develop a software package (with a firebird backend) for external clients. but we also use this software internally.
i am being asked to secure our internal database so that the developers cannot have free reign to it. this is because management want to store sensitive data inside with confidence.
the problem i have is that the SYSDBA connection credentials are held within our application codebase in order for the app to connect to the database etc.
ive been trying to think through this problem and have come up with a couple of solutions:
i) Somehow restrict access to the database at a windows file system level. so that even if the developers know the password they will have no read/write access the database. but i am thinking that if port 3050 is open they could just gain access via an SQL client such as IBExpert etc? (this would be the best, least impact solution)
2) Change the Firebird user which the application uses to connect from SYSDBA to a new custom user that somehow restricts viewing of data??? (I dont even know if this is possible)
3) Change the SYSDBA password and encrypt it with some salt do that the developers have no idea what the password is. (not great, as this would mean changing a lot of code on our part etc.)
i was wondering if anybody could offer some advice, thanks