©Copyright Audit Serve, Inc. 2008 - 2013 All Rights Reserved Application design issues which cause...
Click here to load reader
-
Upload
nigel-dorsey -
Category
Documents
-
view
215 -
download
0
description
Transcript of ©Copyright Audit Serve, Inc. 2008 - 2013 All Rights Reserved Application design issues which cause...
©Copyright Audit Serve, Inc. 2008 - 2013 All Rights Reserved
Application design issues which cause database management issues
Secured Middle Tier (application
Server, Web Server, Citrix
Server)
Database Server
Pass one application ID (DB ID & Password)
User WS
User WS
User WS
Log onto Application
No database IDs assigned to users
Where is application ID stored?Is it encrypted?
Database Authentication Approaches: Application ID passed to Database Server from secured middle-tier
1
©Copyright Audit Serve, Inc. 2008 - 2013 All Rights Reserved
Application design issues which cause database management issues
Application Client loaded
on user Workstation
Database Server
Pass one application ID (DB ID & Password)
User Application logon separate from
Application ID
No database IDs assigned to users
Where is application ID stored?Is it encrypted?
Database Authentication Approaches: Application ID passed to Database Server from user’s workstation
2
©Copyright Audit Serve, Inc. 2008 - 2013 All Rights Reserved
Application design issues which cause database management issues
Application Server Database
ServerPass users database ID
during application processing
User WS
User WS
User WS
Log onto Application using individual user database ID
Individual database IDs assigned to users
Database Authentication Approaches: Direct Database ConnectionUser’s individual ID passed to Database Server by Application Server/Citrix Server
3
©Copyright Audit Serve, Inc. 2008 - 2013 All Rights Reserved
Application design issues which cause database management issues
Database Authentication Approaches: Direct Database ConnectionUser’s individual ID passed to Database Server from their Workstation
Application Client loaded
on user Workstation
Database Server
Pass users database ID during application processing
Log onto Application using
individual user database ID
Individual database IDs assigned to users
4
©Copyright Audit Serve, Inc. 2008 - 2013 All Rights Reserved
Hidden Secret: Application design issues which cause database management issues
Conditions– Most developers have knowledge of the Application ID/password
ID & passwords are coded in clear text within program or ini file Can use ID & Password to connect to database and directly
update tables– Access is below OS level security (Distributed Environment
only)– Users are assigned application level logon which is also a database
ID which has insert/update access to database tables to allow application to function as required
Can choose not to logon through application and instead connect directly to database to alter tables
5
©Copyright Audit Serve, Inc. 2008 - 2013 All Rights Reserved
Hidden Secret: Application design issues which cause database management issues
Controls used to mitigate risk– Application ID Security Design
Encrypt password IPsec rules on router/firewalls to only allow App server to
connect to database server Remove all apps from workstations and connect from
secured middle-tier
6
©Copyright Audit Serve, Inc. 2008 - 2013 All Rights Reserved
Hidden Secret: Application design issues which cause database management issues
Controls used to mitigate risk– Application ID Security Design
Detective review processes which identify when ID is initiated from workstation instead of “controlled” middle-tiers (i.e., Web Server, Application Server, Citrix or Terminal Server) - 3-tier application design only
– Need to identify IP Address/Machine Name Control breaks down if shared workstation Ability to spoof IP/Machine Name in connection stream (SQL Server –
when SQL trace used)
Database security which only permits users to utilize the access through pre-defined access paths
– Oracle & SQL Server Application Roles User loses access entitlements when not going through the application Requires coding within application
7