Database Security

[x-ice]

This is just an idea i had, i'm not developing anything really.

If i was developing a large application that uses a database to store records of all customer, etc...

The application is used to add, delete, edit, search records. There would also have a table in the database with login details of those who are permitted to use it.

How would i secure the database (using encryption) so that nobody can ever read the database unless they use the application that will decrypt records that need to read?

I was thinking of encrypting the whole database using the RSA algorithm, which there is an implementation of on .NET programming languages. But what would be the best way of doing this?

[szlamany]

This gets debated on the forum from time to time...

The major point argued about is that encrypting the data in the actual tables makes the indexes no longer work - as the data is no longer in a "real-visual-data" order.

If the data is in a DB like MS SQL Server then you can protect it from viewing outside the application by simply using STORED PROCEDURES for all access. No one will be able to casually look at table data with a tool like EXCEL, for instance, if you do this.

The only people getting access to visually look at the data without the application would be those with rights to the DB server.

[iainpb]

If you are using SQL server, use the windows based authentication, set up an account for your application to use and remove all other access