Thursday, August 20, 2009

A few myths and truths about MS Access Security

It seems at least once a month, I see some trade magazine or blogger snipe that Microsoft Access is the least secure place to store your data, or that Access is a hacker's dream. An article in InformationWeek this month offers some empirical data to combat the myth that MS Access databases are a wide open vault door:

(source: InformationWeek "Database Servers: Candy For Hackers")

There is no denying that the "Workstation" and "Laptop" categories would largely pertain to Microsoft Access and FileMaker. Nevertheless, database servers clearly hold the largest share of breaches and records stolen.

Truth: Microsoft Access database files can be hacked
Microsoft designed Access to be secure when the appropriate measures are taken. But even taking those measures, there are publicly available utilities to unlock MS Access passwords, and read the raw database files.

Myth: Access databases are easy to hack
This myth is only a myth if you take the right steps to secure your database in the first place, and I won't go into them here. You'll find a wealth of them available online, including this excellent article on MSDN. But if you take the appropriate measures, you'll be safe from everyone except the interesting characters that sit in front of dark terminals search for vulnerabilities and go by monikers like 'fuN1B0yyy'.

Final Thoughts
If you choose to store confidential and sensitive information in an Access database, take the appropriate measures to limit access to the database. That means securing the database file(s), but also locking down the directory, and machine, where the sensitive information exists. But above all, when you hear a well-meaning colleague scoff "you're storing that in might as well just print it out and pass out copies on the street!!!" you can respond with empirical facts (database servers are more commonly breached) and the steps you've taken to appropriately secure your sensitive data.


Donn Edwards said...

Interesting point. One of my clients has a medical patient database in Access 97, where there is no security at all.

On all the laptops that use this system, the MDB file is stored on a TrueCrypt volume. Two laptops have been stolen in the last 18 months, but we are confident that none of the data has fallen into the wrong hands.

In addition, I use a simple class library to encrypt the data using RC4 encryption. It's not super-secure, but it will put off the disgruntled employee who wants to steal a list of names and phone numbers.

Finally, we have a "daily code" password that is different for each user every day. If a machine is stolen (even by an employee) then they can't run the program the following day without a new code. These codes are printed out by the CEO at the end of the day.

These methods are not bulletproof, but we are satisfied that data theft would have to be an "inside job" by a determined hacker. It's easier to photocopy all the paper patient records than steal the data file.

Donn Edwards said...

The MSDN article implies that SQL Server data files are somehow more secure. In what way are they secure, apart from user names and passwords?