Re: Need to create a highly secured database

From: Richard D. Latham <lathamr_at_vnet.ibm.com>
Date: 1997/01/07
Message-ID: <32D28858.167E_at_vnet.ibm.com>#1/1

Renaud LAFFONT wrote:
>
> Hello
>
> I'm looking to create a database.
>
> Here's the specs :
>
> - There will be a small number (20-30) of large records (lots of fields).
>
> - This will be highly secure. There should be a table with every user and
> authorized level. Users will be identified by login and/or password.
> Some will have access to all records, some will have access to a limited
> number of records. Within these records some information will not be
> available to all levels. For each file, access control will be coded by
> organization (departments, administration) and level (salesman, middle
> management, top management). The access control should, of course, be easy
> to modify and maintain.
>
> I'm either looking for a database software that has these access control
> features built-in or for some sort of plug-in for an existing database
> product. Our company is currrently using Access but this database will run
> on a NT server for Intranet use and queries will be made through HTML so
> this is not an issue.
>
> If someone has a similar experience, please contact me.
>
> Renaud Laffont
> baker_at_lac.gulliver.fr

I don't know whether this fits the bill exactly, but depending on the stength of security required, and other operational goodies, you might consider whether Domino (the latest release of Lotus Notes) will satisfy your needs.

The security comment is mainly becuase I'm assuming from your domain name that you are in France, and the International releases of Notes don't have the same security strength as the U.S. version.

Working from (usually not so good) memory, the latest international releases of Notes encrypt some number of bits of the key used to encrypt a message/field in the message under a key only available to "U.S. national security agencies" ... i.e. the N.S.A. This effectively reduces the strength of encryption from 128 bits to ~40 bits .

You can get many different (and probably more enlightened and accurate) opinions about how resistant to attack these key lengths are. The cryptoweenies hang out in sci.crypt ... the general consensus seems to be that 40 bits can be broken by just about anybody who _really_ cares and doesn't mind spending a few days/weeks ... but 128 bits is generally presumed to be strong enough resist decryption attacks from even nation/states.

If the NSA reading your fields is a concern, I'd say that the International version of Notes is not for you .:-) Perhaps a good security consultant could help you by reviewing (or creating) a threat analysis, and give you some more objective criteria for determining what level of encryption is "good enough".

While my sig points this out, I want to reiterate that the above commentary is my own personal opinion, and does not necessarily reflect the views of my employer, IBM .

(Insert YMMV, void where prohibited, and other legal handwaving disclaimers here, flavor, and simmer until a golden brown).

-- 
#include  <disclaimer.std>    /* I don't speak for IBM ...           */
                              /* Heck, I don't even speak for myself */
                              /* Don't beleive me ? Ask my wife :-)  */
Richard D. Latham   lathamr_at_vnet.ibm.com

Received on Tue Jan 07 1997 - 00:00:00 CET

This message: [ Message body ]
Next message: Beegee: "Help - need Oracle classes"
Previous message: jmj22026_at_glaxowellcome.com: "Re: Need to create a highly secured database"
In reply to: Renaud LAFFONT: "Need to create a highly secured database"
In reply to Renaud LAFFONT: "Need to create a highly secured database"
Next in thread: Gary Lawrence Murphy: "Re: Benchmarking Sybase and Oracle? (No flame wars please)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message