Question: Secure the access or secure the content?
Abstract: this seems an easy question, but I have not found a proper answer yet… feel free to give your answer and a little justification.
The complete question is:
What should I secure? the access to the resources, or the content of the resources?
Securing the access means controlling who sees the resources, in terms of who can read files, databases, etc.
Securing the content means encrypting the file content or the data inside databases, so everybody can read but only a few can understand.
Meanwhile you think a response,
- There is an application, let’s say, and ASP.NET application.
- Then there is IIS authentication, let’s say, Windows Integrated Authentication.
- Then there is .NET Framework Code Access Security settings, let’s say, system administrators configuring execution permissions to the assembly.
- Then there is more Code Access Security (developer’s), so the .NET assembly asks declaratively for a read permission to a resource file.
- Then there is the resource file, encrypted, of course, to store a Connection String.
- Then there is a connection to a database engine, with user/password challenge for authentication.
- Then there is database authorization, give access to a concrete database object.
- Then there is a query, that returns an encrypted column (lovely Yukon).
- Then there is a database-level encryption user key, using a password or passphrase provided by the user, so the executing assembly can read the column data.
- So the column data goes in clear to the assembly, which returns the information to the IIS to be returned to the human-being at the other side of the network. Of course IIS uses a HTTPS connection, beware of hackers…
back to que question... Encrypt files or protect them from being read? or both? most important: why?
Comments
Anonymous
May 13, 2005
Why both of course. I guess this is going to depend on what kind of information you are securing. But if you want it protected from prying eyes it must be both. Why? Access to the resources. This should be as secure as possable. If they can not get to it on a live running machine then it is secure. But what happens if they do get to it? And what about when the data isn't on your machine. You do make backups. What happens to the backups? Where are they stored? Who has access to them?
See this article for more a good read why you should encrypt file, learn from others mistakes.
http://www.computerworld.com/printthis/2005/0,4814,101589,00.html
I also would recomend two other things if you have questions on security.
1) Sucribe to the SANS Weekly Newsbytes security news. You will see mistakes make in security weekly from all over the world. http://www.sans.org/ I actually look forward to this weekly email since I have been recieving it for the last several years.
2)Bruce Schneier Security blog, always an interesting read. http://www.schneier.com/blog/Anonymous
February 22, 2006
The blog is very useful.Anonymous
January 29, 2007
BizTalk, EAI, BPM, SO/A and related technologies I do not agree. Go to http://www.banksjobs.info/inexplicable_United%20Kingdom/glow_England/unfashioned_Stratford-upon-Avon_1.htmlAnonymous
March 15, 2007
BizTalk, EAI, BPM, SO/A and related technologies I do not agree. Go to http://www.inworkz.info/bud_Portugal/haemal_Lisbon%20Coast/teff_Lisboa_1.htmlAnonymous
March 27, 2007
BizTalk, EAI, BPM, SO/A and related technologies I do not agree. Go to http://www.eastjobs.info/pebble_Turkey/pounce_Marmara/municipal_Istanbul_1.htmlAnonymous
August 14, 2007
BizTalk, EAI, BPM, SO/A and related technologies I do not agree. Go to http://apartments.waw.plAnonymous
June 01, 2009
PingBack from http://portablegreenhousesite.info/story.php?id=9803Anonymous
June 08, 2009
PingBack from http://cellulitecreamsite.info/story.php?id=2558