General database safety question

[topub]

Hi all,

I am tasked with a general problem to come up with scenarios and possible preventive measures to take for the database of our product.

Our product could be installed in a Server environment managed by an IT department or on a laptops for field inspectors. So I need to come up with ways that our data could be compromised and possible steps to take to prevent it.

Scenario 1: Laptop on which Sql Server is installed in stolen.
Scenario 2: Database file is stolen
Scenario 3: Since the OS-logins on laptops could be admins, they could use Trusted Connection (-E) to connect to database and compromise data. When the Field Inspectors are not paying attention, after logging in, someone could connect to database and compromise/alter the data.
Scenario 4: .....

What could be done to prevent or make it harder to break into.

Possible solutions:
Encrypt the table data
Use DDL triggers to prevent direct connection to database from command prompt or SSMS
Only allow connections from the application account and from web server
....

Please share some info or point at an article that talks about this.

thanks a lot,
_UB

 

[hmckillop]

There are a million and one articles on data encryption which provide one of the best solutions regarding data security - e.g. someone accessing data they shouldnt regardless of where the DB is

However some of the encryption methods can have adverse impacts regarding performance during encryption and decryption.

Have a look at the database journal for a good article

http://www.databasejournal.com/feat...-Server-2005-Security---Part-3-Encryption.htm

if you have sql2008

http://msdn.microsoft.com/en-us/library/bb934049.aspx

"I'm living so far beyond my income that we may almost be said to be living apart