how to secure database from data mining and web extractor softwares?

Question

0.00/5 (No votes)

See more:

Hello everyone,

I am entrusted a task where I need to make sure that my new project's database should not get extracted by any of the data mining or data extractor software or a sql query. I want to explore and have some ideas and concrete solution for database theft proofing and protection.

Is there any code which can disable all the software or queries and commands to access and record or extract the data from the database?

If there is not such code then what are other alternatives to restrict data extractors to pull the data from the database?

Please share your view quickly.

Thanks in advance.

Posted 12-Apr-13 0:33am

winners6

Updated 12-Apr-13 3:39am

v2

Add a Solution

Comments

Prasad Khandekar 12-Apr-13 6:43am

The very important thing to make this happen is to secure your database user credentials. At leat I am not aware of any possible means to restrict clients from connecting to a database with valid credentials. Within a database you can restrict a particular user from doing certain things such as access to set of tables, proc/function execution etc.

Regarding your question Is there any code which can disable all the software or queries and commands to access and record or extract the data from the database? Well if you do so then your own software will render useless as it won't be able to connect to the database.

Regards,

GregWyatt 12-Apr-13 16:56pm

What database are you planning on using? Each database has its own security features, so that information may be relevant for more useful suggestions.

Regarding the idea of limiting any quereies etc to the database I agree with Prasad that if that were done your own software would be unable to access it. A semi solution though would be to use the servers firewall to restrict which IPs can access the database server. The DBMS may offer this as well depending on what it is. My company restricts DB access on the production server to the IP of the production IIS. You may be able to implement something simliar.

winners6 13-Apr-13 1:00am

I am planning to use MS SQL DB. And I want to restrict outsiders and competitors to extract my data from my application. I am only concerned about my data which I have developed and created on my own by my tiresome efforts of over the years. But the point which you raised that my own software would be unable to access it, does not sound to be true because my software would have the privilege of ownership or Admin Power.

This has become really a big concern for we all. Anyways, what would you suggest to resolve this problem.

GregWyatt 14-Apr-13 20:28pm

I guess I don't really understand what your entire setup is going to be. Will you have a DB on its own Server and a client application will be accessing the server? or will websites from another server be accessing it? Without knowing all of the factors it is a little hard to make any meaningful suggestion. Only people with valid connections are going to be able to connect to the database. So if no one knows your credentials and it isn't shared then in theory no one would ever be able to access your data. Other methods like using the servers firewall to restrict the IPs that can access the server that the database server is on could also be used. Or are you worried about your server being hacked and someone stealing your data directly?

winners6 15-Apr-13 6:27am

Hi GregWyatt,
Thanks for the reply. I have a website where I have a huge database associated with it and which is hosted on shared hosting by a hosting company and the website is exposed to the entire world. My big concern is this that my DB may get extracted by some software or individuals or by my competitors. I want simply to protect my DB from data extraction from the entire world.

So suggest me how to protect my DB associated with my website which is online from the professional extractors or competitors.

GregWyatt 15-Apr-13 8:27am

You could have some unique setup on your website that I'm unaware of, but if it is a typical setup you most likely will not need to worry about the particular issue you are talking about. This is because your website acts as a layer of abstraction concerning access to the database. If you site is valunerable to SQL injection than you could be at risk for someone getting your data. Otherwise, a person will only be able to retrieve what your website allows them to.

Other potential issues not related to your initial questions are things like:
-People obtaining the connection string to the db, if they have that they can take what they want.
-People hacking the website server. They could access your websites file and if your db connection string is in plain text than they would be able to extract it. .Net allows for the encryption of such important information in connection strings.
-People hack your db server. They could access your files directly. Some of the solutions people suggested to encrypt the data would solve these issues.
-One of the most common exploits used to access webserver is improperlly configured firewall, ftp, etc.. settings. (i.e. If anonymous users are allowed to access your site through ftp your server will typically be compromised at some point)
-There are probably more, but these are the only things coming to mind right now.

Hope this helps.

GregWyatt 15-Apr-13 11:57am

I had another suggestion I wanted to throw out there, that is completely dependent upon your circumstances. You could contract a security expert for a few days work that would probably cost a few thousand dollars. They should be able to identify all of the potential issues and give you an expert opinion about how to fix it. I only say this because security is an extremely tricky thing, one that you will most likely messup if its your first time doing it(at least I did the first time). But again this will depend on your situation and if you are able. If the data is really that important to you, this may be the best solution to give you piece of mind.

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Mike Meinz · Answer 1 · 2013-04-14T15:16:00

Solution 1

Encrypt the data!

The .NET Framework has crypto classes that you can use to encrypt and decrypt data as you put it into and retrieve it from the database.

Posted 14-Apr-13 15:16pm

Mike Meinz

Updated 14-Apr-13 15:24pm

v2

Comments

Hari Om Prakash Sharma 14-Apr-13 23:55pm

But there will be a problem of doing operation on database data I mean if data is encrypted in the database how to identify the original data during operation like searching a specific content. If we decrypt before any operation on the data then performance will decrease alot. Or else we can have Homomorphic encryption so that we can process directly on encrypted data.

Mike Meinz 15-Apr-13 7:01am

See Securing ADO.NET Applications.

From Microsoft documentation:
Cryptography and Hash Codes
The classes in the .NET Framework System.Security.Cryptography namespace can be used from your ADO.NET applications to prevent data from being read or modified by unauthorized third parties.

You do not need to encrypt all of your data. Encrypt enough of it so that the plain text part of your data would not be useful. Leave enough of your data in plain text to facilitate SQL Where clauses. Performance is not as much of an issue these days with the speed of the processors.

AnotherKen · Answer 2 · 2013-04-14T20:51:00

One solution is to set up this database on a computer that is not connected to the internet. (You may even limit it's connectivity locally within your company.) Or, if it absolutely needs to be connected with customers, you could use leased lines instead of the internet for your connectivity. Further security can be implemented in the form of black-box technology which is basically a hardware encryption/decryption device that does it's work so fast your client will never notice the difference, though they would have to have such a device at their end also.

If the computer in question absolutely has to be internet connected then you will never have a security solution that will be 100% dependable. A sideways approach would be to use a program like TrueCrypt to encrypt your entire hard-drive. This would at least discourage the more lazy of the hackers out there.

Even another solution is to get yourself a external hard-drive that you can simply have un-plugged when you do not need the database. When you do.. just drop your internet connectivity, connect the drive and access your db. This still has the vulnerability to trojan hacks, but if you are careful then most hackers may never even know you are hiding your database that way.

AnotherKen · Answer 3 · 2013-04-15T16:29:00

Well, from what little I know, it seems that you may want to go with symmetric encryption, AES would be less of a performance hit and RSA could be stronger. Both are relatively strong as far as I know. You could encrypt all sensitive data and provide the decryption keys to the clients who have valid access to that data. The keys could be embedded in a client you provide them with that connects to the database and reads the data, decrypts it and then serves it to whatever front-end they are using. You can use different keys for different data-sets to control which clients get access to the decrypted data-sets.

I'd recommend rotating the keys every so often, like every 2 weeks or less. That won't keep hackers away but it might make them go after easier pickings. Every other suggestion I saw seemed helpful one way or another but none will be 100% secure.

how to secure database from data mining and web extractor softwares?

3 solutions

Solution 1

Solution 2

Solution 3

Add your solution here

Preview 0