hi!

On Feb 20, 2009, at 3:02 PM, MARK CALLAGHAN wrote:

Has anyone here undergone an audit for 'web app' personal data?
In such an audit has access control at the app server been sufficient?
Are managers at such a company comfortable that anyone (such as a
disgruntled employee) with access to the db can read all customer
data?


the problem really comes down to:
if any part of the app needs access to certain data, certain people will have access to the data (because there must be some way to access the username/password combination) otherwise it's useless. "certain people" depends on the size of the organization, i guess. in my experience it means either a) devs or b) DBAs. or both for small companies. outside of those two groups, people don't generally have access to the systems (accounting, marketing or other "business" folks).

in my past, yes access control at the app layer was sufficient to be considered "safe" by external auditors, but of course i have no idea of what standard was used to determine safety by the auditor. we had to sign NDAs and other agreements to mitigate the fallout in case of abuse, this was in accordance to german laws, though i suspect much of it would hold up in all of the EU. not sure about the US.

in my experience, pretty much all bets are off once an attacker makes it inside the network. too many vectors of attack open themselves, and if he/she is smart about it, chances are they will find the first username/password combination to unravel the security chain. then again, you can make it really hard at the expense of, well, expense. i know of only very few places that actually take it this far, though (google might of course be one of them, for all i know). most web shops i'm familiar with (either by first or second hand knowledge) aren't secure at all once you gain access to the actual systems. laziness and lack of experience usually leaves all doors open on the inside, no amount of access control in the DB will help in this scenario, obviously. the old and rather lame statement applies: the weakest link determines the strength of the chain.

to bring this slightly back on topic: if drizzle intends to be run in reasonably secure environments where you can control who has access _and_ you trust the people involved (devs, dbas) then it does not need to concern itself with internal access control. i'm not yet convinced that it is a realistic assumption, but if people are willing to sacrifice security for speed, then let them. the only point that makes me nervous is that ripping out access control from the entire server code will make it nearly impossible to add it back later. unless of course you don't rip it out but replace it with stubs that call no-ops in the default - still representing a cost, but a hugely decreased one. there you go, another api and plugin opportunity :)

cheers,
-k
--
Kay Roepke
Software Engineer, MySQL Enterprise Tools

Sun Microsystems GmbH    Sonnenallee 1, DE-85551 Kirchheim-Heimstetten
Geschaeftsfuehrer: Thomas Schroeder, Wolfang Engels, Dr. Roland Boemer
Vorsitz d. Aufs.rat.: Martin Haering                    HRB MUC 161028


_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help   : https://help.launchpad.net/ListHelp

Reply via email to