3

When previous devs at my company had to store sensitive user data (for example, medical records), they did the following. I doubt its merits.

  1. There is data considered "insensitive" (user login, profile info), and "sensitive" (user medical records).
  2. There are three databases. Insensitive data in A, medical records in B, and the mapping between A and B in C.
  3. A hacker must hack all three databases to tie users (A) to medical records (B).

Our own backend code calls C to tie A and B data together for user display. I think the ubiquity of this code invalidates the benefit of splitting databases: if the hacker accesses our system, he can call our logic.

What benefits of the above system am I missing (or are there better ways to secure such data)?

atp
  • 30,132
  • 47
  • 125
  • 187

4 Answers4

2

I'd say that once your system has been compromised and the assailant is past the threshold with access, then the databases are just a matter of time. What it is doing is at least perhaps delaying to intruder in their intent - but the cost (in terms of maintenance, performance, project clarity and so on) might outweigh the benefits.

I'm sure there will be sufficient information for a determined person to decide that X, Y and Z databases are linked - unless you obfuscate database names, table names and other structural indicators.

Ideally you should be looking to make your system impenetrable, all other things beyond that are mitigations, the treating of symptoms with neglect for the problem (that you've been exploited), of which the trade-off must be considered uniquely to the situation.

In my experience and opinion, splitting the database like this is a strangely contrived approach to security that I find to be ingeniously silly.

Grant Thomas
  • 44,454
  • 10
  • 85
  • 129
2

In response to the general question "is splitting databases a legitimate security measure", isolation is indeed a well-known, useful tool for implementing security. Whether its benefits outweigh its drawbacks (generally, additional complexity) is very much situation-specific and I don't know the answer in your system's case.

Suppose for example that someone wanted to build an analytics application on top of your data. It would be very useful to have the mapping data completely out of the picture. If the analytics app is breached, the mapping information is not at risk.

Responding to some comments below, even in your system's specific case, it's not a foregone conclusion that "breaching the system" amounts to breaching all databases at once. Suppose that an attacker exploits a SQL injection vulnerability in your application. If the mapping data is separate and hardened (extra controls on code that accesses mappings, say), then isolation can be the difference between exposing unassociated data and associated data.

Not arguing that it is a good design for your system. Just trying to explain different kinds of rationale that can go into this.

I'm using the same isolation strategy in a similar situation. The "databases" in my case are configuration repositories. All of the preprod configuration goes in one repo and the production config goes in a separate repo. All developers have access to the preprod repo, but only release engineers have access to the prod repo. The rationale is that I want defense in depth: while I could certainly implement access controls on the individual repo folders, I'd rather make the production config simply network-unreachable to all unauthorized staff.

  • But if your system is breached, then _all_ databases are at risk. Since the _app_ would (presumably) still need to negotiate with the multiple databases, there is still a chance (as the OP notes) that they needn't break the server, just exploit the _app_ controlling the system. – Grant Thomas Aug 23 '11 at 09:45
  • In the analytics example, I'm assuming that the analytics app is a distinct app. If it's breached, only the one database is potentially at risk. The mapping data isn't, because the analytics app doesn't have access it it at all. It may be that with the app that spans all three databases that a system breach amounts to a general DB compromise. A control doesn't have to cover every possible vulnerability (indeed no control does that) to have value. –  Aug 23 '11 at 09:51
  • 1
    Then that is irrelevant to the OPs situation; it is stated that the code of an application pulls this data together for displaying purposes, which suggests all databases can be accessed through the same vector. In your case it seems that there are distinct components where the relation becomes more abstract. – Grant Thomas Aug 23 '11 at 09:53
  • p.s. In the OP's example, three databases does sound like more than what's needed. If it's truly the associations between user and medical records that are sensitive, then I'd think two databases were sufficient: one for the user and medical records, and another for the mapping. And there may indeed be better approaches--situation dependent, as I noted. –  Aug 23 '11 at 09:55
2

Yes, splitting data into separate stores can help security. As James Anderson writes, most database systems allow you to grant different privileges on individual tables.

However, most security analysis looks for the weakest link; I doubt whether your weakest link is the way your databases are split out. So, unless you've nailed down a whole bunch of other things - password management being an obvious one, SQL injection attacks another - at best, the database design is pointless; at worst, it is adding complexity to the application which causes bugs; most security vulnerabilities come from bugs.

It can also lead to a false sense of security - "we're covered on security, we split our databases", or a cavalier attitude to securing the "non-sensitive" data.

Oh, and if you decide that the user's login credentials are "not sensitive", you're basically giving an attacker the option of simply impersonating legitimate users of the system to steal your data once they have penetrated your "non-sensitive" data store.

Neville Kuyt
  • 29,247
  • 1
  • 37
  • 52
0

On most serious DBMS systems you can control access at table (sometimes even row level).

So storing the sensitive data in separate tables is a valid way for restricting the access to the confidential data.

While nothing will protect you from a hacker who gets root (as other posters have pointed out). But this strategy will protect you from unauthorized users within your system gaining access, and, by extension from hackers who have obtained their userids and passwords. As spoofing low level employees into giving password details is still one of the commonest "attacks" this is well worth doing.

The big "if" is can you really split your users into "have access" and "have limited access" groups?

James Anderson
  • 27,109
  • 7
  • 50
  • 78