Data Encryption

[majhl]

My boss today raised the thorny issue of data encryption. Normally I develop in Access and am aware that I could use workgroup security. But I've had some bad experiences with this in the past.

I've recently been investigating switching to Access ADP with SQL server back-end databases. So my question is about encryption of data in SQL Server 2005 and how/if it would work with an Access ADP. Does anyone have any experience of this? Any web resources out there? Thoughts, suggestions?

Any help gratefully received.

 

[Banana]

First question would be "Why do you want to encrypt it?", with a follow up "What threats are we worried about?"

Are we talking about an external hacker breaking and gaining access to confidential data, a rogue employee sharing trade secrets or just to keep wrong people out?

The answers will greatly influence how such security is to be implemented.

 

[majhl]

First question would be "Why do you want to encrypt it?", with a follow up "What threats are we worried about?"

Are we talking about an external hacker breaking and gaining access to confidential data, a rogue employee sharing trade secrets or just to keep wrong people out?

The answers will greatly influence how such security is to be implemented.

Thanks very much for your reply Banana.

Why encrypt? It's a legal requirement (or will become a legal requirement in the future). The data contains personal information/medical records etc.

Threats? We're mostly worried about external threats - i.e. keeping out undesirables. The rogue employee thins is not really an issue.

 

[Banana]

If it's mostly external, and all of your data entry and reporting are done within office LAN, then encryption is most likely a wrong solution and would only eat away at performance for no gain as you would rely on network security to keep people outside the LAN out.

Of course, if you do have remote offices or more than one office LAN, it does get complicated, but this still doesn't quite warrant the need for encryption; securing the line using SSL, SSH, VPN, or similar is the correct solution in the simple case of two remote office needing to connect to a common server.

This may be moot however if you are in fact or going to be legally required to encrypt your data, even though the legal requirement may not be in fact the correct answer to securing the data. See if the above two I just suggested is sufficient to meet the requirement. FWIW, I worked for a company that was obliged to adhere to HIPAA as well as the state government's IT policy, and they were content with just securing the network and the lines for WAN connections. This may or may not be the case with yours, though.

Assuming that encryption is a definite requirement, first thing I'd note that Access's built in encryption is nonstarter because it stores the key inside the file so it's a matter of looking under the doormat or the nearby statue to get the key to front door.

SQL Server already provides you with a better security management because you now have a daemon to manage the file access and nobody else can have rights to the mdf files. I'm not sufficiently experienced with SS to tell you if its encryption mechanism is sufficient for your task or if you may have to roll out your own algorithm (which if you look around can be found either for free or for a fee).

I wouldn't bother with ADP mainly because it has not been updated for a while, is limited in contrast to MDB/ACCDB, and any functionality it provides is usually best done in the native SS tools such as SSMS. MDB or ACCDB with SS as the backend is certainly a step in right direction if you do need the data to be encrypted, though.

HTH.

 

[SQL_Hell]

SQL server 2005 uses data encryption via certificates and keys;

An example is here

http://blogs.technet.com/keithcombs/archive/2005/11/24/sql-server-2005-data-encryption.aspx

 

[majhl]

Thanks again to Banana and SQL_Hell for the suggestions. Much appreciated.