Results 1 to 5 of 5

Thread: Question

  1. #1
    Join Date
    Dec 2004
    Posts
    5

    Question Unanswered: How to secure website data in an Oracle DB?

    Hey

    Hoping someone out there will be willing to share some knowledge with me.

    I'm undertaking a project and what I'm doing is building a website (planning on using asp.net with C#) that will be connected to a DB (planning on using Oracle) The site will be storing personal information (peoples names, address, phone numbers, user names and passwords) but won't be storing sensitive information (nothing to do with money, credit cards or anything like that). Maybe someone could please give me some information regarding how I can go about securing the stored data in the Oracle DB - does the software provide some functionality for this? Would I be correct in thinking there is no need for securing the data when its being submitted by a user (eg when users are registering their details - name,address,mobile number) as it is not very sensitive information or is it important to secure data at this stage as well?

    Any feedback would be GREATLY appreciated!! thanks...
    Last edited by maireob; 12-21-04 at 08:01.

  2. #2
    Join Date
    Jun 2004
    Posts
    796
    Provided Answers: 1
    Before we start getting into the detail for this, I for one would consider my name, address, mobile number etc to be sensitive! I would be most upset if I found out that a particular site was not treating this information with confidentiality - think very seriously about securing the data!
    90% of users' problems can be resolved by punching them - the other 10% by switching off their PCs.

  3. #3
    Join Date
    Dec 2004
    Posts
    5
    thanks for replying so quickly
    ok, maybe I should have worded that a bit better, of course I understand that this is sensitive information - I was trying to underline the fact that it is perhaps not as sensitive as say financial/monetary related information which if not secured properly could seriously impact the user. The information that I will be dealing with is information which for the most part would be easy enough for people to find if they wanted (eg phone directory) thats not to say that I don't value confidentiality and privacy and so this is why once I have the data stored I want to ensure that it is kept "safe". So my 2 questions are as follows

    How do I ensure this information is kept "safe & secure" in the db?

    Is it enough to secure the DB alone or do I need to take measures(eg encryption) to guard the information as it is entering the system?

  4. #4
    Join Date
    Dec 2004
    Posts
    5
    thanks for replying so quickly
    ok, maybe I should have worded that a bit better, of course I understand that this is sensitive information - I was trying to underline the fact that it is perhaps not as sensitive as say financial/monetary related information which if not secured properly could seriously impact the user. The information that I will be dealing with is information which for the most part would be easy enough for people to find if they wanted (eg phone directory) However thats not to say that I don't value confidentiality and privacy and so this is why I want to ensure that it is kept "safe". So my 2 questions are as follows

    How do I ensure this information is kept "safe & secure" in the db?

    Is it enough to secure the DB alone or do I need to take measures(eg encryption) to guard the information as it is entering the system?

  5. #5
    Join Date
    Jun 2004
    Posts
    796
    Provided Answers: 1
    I haven't yet used Oracle in the situation that you've explained, but the database itself can be made as secure as you wish; you can restrict users' access to the database, what they are allowed to 'see' within the database, what they can (& can't) change within the database. The subject of database security is a big one (too big for me to write about here!), so perhaps you might like to read up a bit on it if you need more info - keywords to search on are 'Roles', 'Privileges', 'Policy', 'Auditing', 'Triggers' &
    'Virtual private Database'. In addition, I would recommend a firewall in front of the database, and maybe think about Oracle Net's Server-Side Access Controls.

    As you can see, from the 'design' aspect there's a lot to consider - I think what might help is if someone else with this kind of set-up explains briefly how their system is set up...
    90% of users' problems can be resolved by punching them - the other 10% by switching off their PCs.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •