1

I'm trying to track requests (that may contain sensitive data) to service.

Based on the GDPR, I am trying to analyze all the options for storing sensitive data. There is a lot of data. Previously, this data was logged to a file. But now it’s not possible. So far, the working option is to store it in the database (we use relational).

What are the potentioal drawbacks of this solution. Has anyone used any other approaches?

Thanks a lot.

Halina Pichukha
  • 13
  • 4

1 Answers1

2

Databases are meant to store data and to store it securely. If you have encrypted harddrives, using SSL, RBAC, label security, etc your data will be very secure. There are no real drawbacks to using a database other than program complexity. But there are enough mature libraries out there that that's really not all that bad, especially if you're suing Hibernate and SpringBoot, it will do all the heavy lifting for you.

Ryan
  • 1,762
  • 6
  • 11
  • 1
    The so-called "PCI" data security standards, which must(!) be followed by anyone having to do with credit cards and such, are also good-reading for design ideas similar to this one. There are also many prefabricated libraries ... search for *"PCI Compliance."* This is a very familiar requirement, and, as Ryan notes, a lot of the heavy-lifting has already been done for you. You are, thankfully, "doing a thing already done." Take full advantage of that. – Mike Robinson Mar 13 '20 at 14:26
  • If OP has encrypted hard drives, then logging to a file is going to be just as secure as writing to a DB. – Ted Hopp Mar 13 '20 at 14:26
  • Well, Ted, the problem might be *disclosure* of the encrypted material. Anyone who could get to that filesystem could get to the data, double-encrypted or not. Generally, you'd like to avoid people getting their hands on even the encrypted data. And you need to accomplish that in an *easily manageable* way. Databases can be a big help. – Mike Robinson Mar 13 '20 at 14:28
  • I meant encrypted hard drives on the database server. It should be moot as that's standard practice for commercial and government systems these days. – Ryan Mar 13 '20 at 14:32