Re: Modifying SQL query for security?? What is your opinion?
Date: 1996/11/28
Message-ID: <57k2s5$3f0_at_gcsin3.geccs.gecm.com>#1/1
sandor.laza_at_opcw.nl wrote:
[snip]
>Our real challenge which is the following:
>
>I am working for the Organisation for Prochibition of Chemical
>Weapons (UN)
>
>We have to store Chemical Weapon Production Facility data in an RDBMS.
>(Currently we have Ingres and Sybase in place)
>It is obvious, this data is highly confidential.
>
>When an inspector team need to inspect a faclity, they have to
>have access all the facility related records, but nothing else.
>In practical terms, we have to implement row level security
>for numerous tables.
>
>The simplest solution would be the use of trusted products
>(Trusted Solaris, Trusted Oracle etc.), which
>can provide this functionality, but porting the existing applications
>to the trusted environment would cost 500.000 dollars.
[whinge mode on]
The *simplest* solution would be database triggers on select statements
that replaced the critical parts with nulls or blanks. Unfortunately some
relational "guru" decided that triggers on select statements are a "bad
thing" so you're not allowed to have them.
(Someone please tell me that this has changed in the latest version of OI) [whinge mode off]
>I think, the cost of the implementation of the query modification,
>with rewrite the SQL parser is in the same category either. Or not?
Very probably.
>In the new developments, we can implement this feature, but what
>can we do with the legacy applications? Reengineering?
>
>I think, the simplest solution would be the reingeneering the
>existing applications and implement the security with views and
>stored procedures.
Don't forget that you can use roles as well.
>But what about the third party applications where we do not have the source?
Hmmm. You'll probably end up considering these on a case by case basis. Suffice to say that there is no simple solution.
Regards,
Bruce Horrocks
EASAMS Limited (...but speaking for myself) Waters Edge, Riverside Way, Watchmoor Park, Camberley, Surrey, GU15 3PD, UK Tel: +44 1276 686777 Tel: +44 1276 693043 (direct) Fax: +44 1276 686623 X400: S=HORROCKS,G=BRUCE,I=B,O=EASAMS LTD,P=GEC MARCONI,A=ATTMAIL,C=GB Mailto:Bruce.Horrocks_at_gecm.com
Received on Thu Nov 28 1996 - 00:00:00 CET