how to protect my online database?
-
Hi, I have an ASP.NET project with mySQL server backend on my host provider. I want to know wha's the best way to protect my database's data so no one will have access to it? I though of giving a password protection for the database but the host can for sure reset and access it. I though of encrypting the data using SQL stored proceedure but again the host provide can go and open the stored proceedure and decrypt. I though of doing the encryption from the ASP.NET but the web provide can open the code in the editor to know what I am doing and decrypt it. It's making me crazy!! I want to have a very secured data whee NO ONE except me can open or read it. what's your advise please.. Thanks, Jassim
-
Hi, I have an ASP.NET project with mySQL server backend on my host provider. I want to know wha's the best way to protect my database's data so no one will have access to it? I though of giving a password protection for the database but the host can for sure reset and access it. I though of encrypting the data using SQL stored proceedure but again the host provide can go and open the stored proceedure and decrypt. I though of doing the encryption from the ASP.NET but the web provide can open the code in the editor to know what I am doing and decrypt it. It's making me crazy!! I want to have a very secured data whee NO ONE except me can open or read it. what's your advise please.. Thanks, Jassim
One thing you could do is encrypt and decrypt the data in the MySql database using the web application rather then native database stored procedures. The web application should be compiled, hence a bit harder to crack the encryption code. What I don't understand from your question is how the host provider, or anyone else, would be able to get access to your encryption routine in ASP.net, since this should consist out of 2 parts. The first is the actual aspx files and the second the compiled class files. I don't know exactly where your paranoia is coming from, but people that have physical access to the MySql server will ALWAYS be able to crack the data. All they need is time. You'd be better of trying to protect the system the MySql database is on from the web, like making it accessible only from within your own subnet or the IP that your webserver has. And splitting the encryption from the database, like in your web application. Then even if the database falls in 'enemy' hands they won't have the decryption routine. Thirdly if you don't trust your hosting provider you should be looking for another one, or alternatively start your own hosting company by renting rack spaces.
-
One thing you could do is encrypt and decrypt the data in the MySql database using the web application rather then native database stored procedures. The web application should be compiled, hence a bit harder to crack the encryption code. What I don't understand from your question is how the host provider, or anyone else, would be able to get access to your encryption routine in ASP.net, since this should consist out of 2 parts. The first is the actual aspx files and the second the compiled class files. I don't know exactly where your paranoia is coming from, but people that have physical access to the MySql server will ALWAYS be able to crack the data. All they need is time. You'd be better of trying to protect the system the MySql database is on from the web, like making it accessible only from within your own subnet or the IP that your webserver has. And splitting the encryption from the database, like in your web application. Then even if the database falls in 'enemy' hands they won't have the decryption routine. Thirdly if you don't trust your hosting provider you should be looking for another one, or alternatively start your own hosting company by renting rack spaces.
"I want to have a very secured data whee NO ONE except me can open or read it." Dont use external hosting - if they want, they will see/get your data anytime. What Gerben suggested is fictional security. Compiled web app can be decompiled with a click. If you use certificate for encryption (no sql level, or asp.net level), you will have to store (public+private key) it at host (hence they can use it too). Obfuscated code / embedded certificate wont help - its another layer of fictional security.. There is simply no way for you to achieve your goal. Some things work on "trust" base - like: - i trust my bank wont give away my info / access my money (not really) - i trust Verisign Certificate Authority, so i trust i'll get legit response when verifying certificates issued by them .... (dunno how much you trust your hosting provider) but, if you want something only you can access, dont let it leave your pc :-)