Remote access and security of gov't database

[NetGuySC]

Hi,

I have a database program that I have designed for my department and I have a few questions concerning security that I hope someone here could educate me on.

I will admit, that up to this point I have been concentrating on building this database and not on securing it after it was built and was hoping someone could shed some light on what needs to take place concerning security and the law.

This database is currently setup to include personal info such as Name, address, phone, complete ssn # and complete drivers license number. I will soon change the ssn # to the last 4 digits and the dl# to the last four 4 digits. This database will be accessed remotely with employee laptops.

The database will be hosted at a third-party site (edthosting.com). It is sql backend and a microsoft access front end.

1. I understand that the access front end will communicate with the sql in an unencrypted fashion. The verizon aircard, in the vehicles, used software that can utilize vpn. I know what vpn is and understand that it basically is an encrypted tunnel between two computers. I have never used vpn and am unfimiliar with the details. Once a vpn account is created on the laptop the database could use this encrypted connection to communicate directly to the ip address where the sql database / server is located?

2. The SQL database, being that it on a third-party server, is it possible to encrypt this database for security yet still allow easy access to employees? If so, is this a function of the server it is located on? or a third party program?

3. I understand to have a strong password policy.

4. I understand to have whole disk encryption on the laptops (truecrypt)

5. Would it be better to have the laptops locked down so that only the database program has access thru the vpn to the database, and lock everything else off the internet?

6. utilize a software restriction policy to not allow installation of unauthorized programs

7. Do not allow use of usb drives on the remote access computer.


I am looking for a somewhat specific overview of the feasibility of what I have planned, and of what I am overlooking would be greatly appreciated.

Perhaps a suggestion of best practices concerning remote access and database security that people here use.



Conserve landfill space ... spay/neuter your pets.

 

[Cogman]

1. VPNs need to be specifically setup for encryptions, it isn't an "Out of the box" thing. Not only that, but VPN encryption isn't a sure fire thing, I would enable it, but not trust it.

2. You can't really encrypt the database since it is hosted 3rd party. You are going to have to encrypt data elements instead. At very least, the SSN and Drivers license should be encrypted. The problem is, the more encryption you apply to each datafield, the more worthless MySQL becomes. It becomes impossible to do simple select statements and such because everything is semi-random bits.

A non-company owned database with sensitive information is not a good thing. Its like opening a new security hole since your information is only as secure as their servers are. If you can avoid it, avoid it. You should be hosting your own database.

3. good

4. Doesn't really help when you don't have direct access to the other companies servers

5. Yes

6. Yes

7. Yes

Again, I can't stress it enough, the biggest problem with this setup is that you have sensitive information stored on someone else's server. That is a very bad thing, You can take all the security measures in the world, but in the end, if they are compromised, you are screwed.

 

[degibson]

A. Cogman is right -- your biggest risk in this scenario arises from the possibility that your third-party host might be vulnerable, and is out of your control.

B. I'm not sure what your major concern is in this scenario: You have stated you intend to retain only the last four digits of the only concerningly private data.

C. Even in light of B, I suggest you consider storing a hash of SSN and DL# instead of the last four digits. Doing so would allow your employees to use SSN or DL# to verify a persons identity with one of those, but storing an unreversible hash has far fewer security concerns than even subsets stored in cleartext. Of course, if your employees actually need to know a subset of the SSN or DL#, a hash obviously won't work.

D. You seem to be pretty concerned about perimeter security on the laptops that will access this central server. Take basic steps to secure those laptops -- as JackMDS always says, don't make your users administrators.

E. Just like we concluded in the other thread, you must balance your security versus your potential risk and the attacks you want to tolerate. There is also the concern that your user, if overtaxed with security measures, will find ways to get around them (e.g., weak passwords, shared logins, etc.).

F. As Cogman said, you can always choose to encrypt the contents of the database via the client program. You should also obscure your table and column names, and possibly consider a honeypot table filled with bogus data to partially deal with successful attacks on your hosting provider.

 

[Modelworks]

I will admit, that up to this point I have been concentrating on building this database and not on securing it after it was built and was hoping someone could shed some light on what needs to take place concerning security and the law.

The requirements for the security should be available to your department. Every government office has what is required.

This database is currently setup to include personal info such as Name, address, phone, complete ssn # and complete drivers license number. I will soon change the ssn # to the last 4 digits and the dl# to the last four 4 digits. This database will be accessed remotely with employee laptops.

If it has to be on employee laptops that leave the site then I would place all access inside a virtual machine with its own copy of the OS and lock it down so nothing can be installed to that VM and no changes can be made. That will limit the access to the information from other applications on the laptops.


1. yes

2. It is possible to encrypt the entire server but you need a host that supports it.

3. Besides a strong password policy don't forget to require changing the password every so often.

4 . encrypting the hard drives is a good idea

5, 6, 7 can all be solved by using the VM for the OS that accesses that database.

I am looking for a somewhat specific overview of the feasibility of what I have planned, and of what I am overlooking would be greatly appreciated.

Perhaps a suggestion of best practices concerning remote access and database security that people here use.

Best practice is to never let your data leave the site. In high security places I have been there is no connection to the outside world on the high security network and nobody has access to the computers on the network accept mouse, keyboard, and display. The actual pc itself is behind lock and key, not even usb ports are accessible.

You really need to inquire what the government specification is for your department. As long as you follow that , even if their is a security breach, you are covered.

 

[NetGuySC]

Basically, I work for a local county government agency. This gov't agency has not allowed any remote access at this point and very possibly the reason is that it hasn't been needed / requested. The IT admin was unaware of the database being developed but the IT staff were aware. Now that it is near completion and I have brought it to his view, he is understandably concerned that the database could have been compromised by the non-county approved vendor that I hired. The county admin wants to know from me what safeguards will be in place to make this database red flag compliant.

I am trying to convince the IT admin and the county admin; that the strictest security standards that I plan to put in place will make remote access as secure as possible to possible quell any concern that they have about remote access and also be red flag compliant.

I want these laptops to be only useful to run the database, no other internet availability except what is need for the database front end to commiunicate with the server, no gaming or even checking email, I prefer to not even have a browser installed. Nothing but database functionality.

I had planned on hosting with a third-party server but seeing the major concern here expressed with that option, it is now not an option.

 

[GeekDrew]

I work for a County IT office. Your username indicates "SC"; that's not my state, so the remainder of my post is probably grievously inaccurate because inter-state policies are frequently incompatible.

With the disclaimer that I am not a lawyer, I am not providing legal advice, that you are not permitted to use my advice in any official capacity, and that you absolutely need to contact your legal representation, a few thoughts off of the top of my head:

Your agency absolutely must check with any parent/authoritative agencies, including the State itself, for IT policy for handling this type of data. For example, some state agencies require us to secure data via biometric authentication, and other state agencies require us to only ensure that we have an electronically enforced password complexity and aging policy.

No vendor may host or have access to the data without contracts in place between that vendor and the source agency (and that agency needs to consider all higher policies/mandates) that provide a very clear definition of who can access the data, what they can do with it, and where/how they must store that data.

Remote access to the data must be prohibited unless each user is connected via a trusted network/PC over an encrypted VPN. Servers absolutely must not be directly exposed to the internet.

Logging. There needs to be a trail of what is done, by whom, and when. Minimum of on insert/update, and preferably on select, also. This is frequently not the case with MS Access front-ends. In many cases, you need to have a way to review changes for accuracy, which implies workflow, but that's a completely different topic.

You seem to be worried about locking down the remote terminals, and while that is a necessity in many cases, I think that you're putting the cart before the horse, so to speak. Back up and get the database/app/server policies down, and then worry about the remote terminals. What you have said (encrypting hard drives, disabling non-required physical ports, using policies to prohibit software installation and etc), however, is a good start.

Some folks (including in this thread) are encouraging using virtual machines to enhance security. While they are not technically incorrect, given your line of questioning in the OP, I discourage introducing VMs into the mix. If not configured correctly, they could provide a tremendous security breach, rather than helping in any way.

You've mentioned that you're changing your SSN and DLN fields to SSN(4) and DLN(4). If the last 4 digits of each will suffice, are you really sure that you need that data at all? In my experience, SSN(4) is used mainly when required by law or mandate, rather than for technical reasons. It makes automatic duplicate analysis difficult (almost certainly requiring human interaction), and it absolutely rules out the use of SSN being used as a unique identifier (which it shouldn't be in the first place). I've never seen DLN(4) used anywhere, ever, successfully. Your case may be an exception. If you're required by law or policy to verify data provided by other entities, verifying only 4 digits is not generally acceptable.

You need to have a meeting with your county's IT administrator(s), and figure out what their opinions are. There are tons of regulations out there, and they should either know what applies to your situation, or should be able to point you in the right direction, so that you can determine what those requirements are.

 

[NetGuySC]

Thank you so much GeekDrew and others. You have been an absolute wealth of info.

I now plan to completely remove the ssn and the drivers license number from the database. This database will only be used within a sub-department of ten people and will not be shared with any other agencies. It is used to store request for services from citizens (work orders) and to record the citizens info when we write a citation. The ssn and dl were used as unique id's in the citation, to be able to easily search the database for previous offenses they were cited for.

Now that the only personal info that will be stored is a person's name address and phone number, will it still require the same stringent policies as if the ssn and dl# was a still a part of the database?

 

[GeekDrew]

I now plan to completely remove the ssn and the drivers license number from the database. This database will only be used within a sub-department of ten people and will not be shared with any other agencies. It is used to store request for services from citizens (work orders) and to record the citizens info when we write a citation. The ssn and dl were used as unique id's in the citation, to be able to easily search the database for previous offenses they were cited for.

Now that the only personal info that will be stored is a person's name address and phone number, will it still require the same stringent policies as if the ssn and dl# was a still a part of the database?

Your question takes me into a gray-area that I absolutely cannot answer without knowing the rules and regulations applicable to your agency. I would ultimately leave that decision up to your county IT admin.

If it were me making that decision, I'd need more info. What type of work orders and citations are you responsible for? Is it for a utilities or engineering office? Those work orders and citations are usually issued to a specific person/customer, but the record itself pertains more to the property address, in which case parcel address should be sufficient, and no confidential information may be present.

If it's for a law enforcement office, though, it may very well still fall under confidentiality regulations. Citizens routinely call our Sheriff's office and place themselves on a "vacation watch" - meaning that the citizen is away from the property, and are requesting that the Sheriff send a deputy to look for vandalism periodically. Records in that database are confidential (I don't know whether they're only confidential for the period of the work order or indefinitely) because compromise of that database would give the third party access to a list of properties where there may be valuable goods present and have nobody around to guard them. Citations issued by our Sheriff's office are absolutely secured -- they are one of those cases where we require the end users to authenticate via fingerprint.

So... the answer is that it all depends on the nature of your data.

 

[NetGuySC]

Thanks again GeekDrew .

I appreciate the time you took to respond and yes these issues are being fully exposed to the IT director. He seems to be wanting to help me make this database work, as soon as he can clean up the security issues.

I am trying to get a better understanding of what is involved and you have helped me imensely.