Question

You are employed as a database administrator by a start-up company in Menlo Park, California. The company is developing a new payments system that is attracting a lot of attention from venture capitalists. Customers will be able to process credit card transactions remotely and transmit payment information over the internet to your data center. During the latest round of negotiations for funding, one of the potential backers announced that he or she would be conducting a due diligence assessment to ensure that the new payments system design has adequate security controls. This potential backer is particularly concerned about customer privacy issues, as this is a hot topic in California and elsewhere. Your manager, the Chief Technology Officer (CTO) of the firm, has asked you to make recommendations on several aspects of SQL Server database security. Please consider: • Securing the client/server connections over the internet • Authenticating users • Encrypting sensitive information Like any security principle established for any project layering is an absolute necessity. The importance of layering is convincing those who would want to infiltrate your system that it isn’t worth the effort and should move along. Examples, of physical security are entering a restricted parking lot with an attendant who verifies your identity and the use of a key card to open the entrance to the building. Examples, of security for accessing an application for a banking institution include providing a username, pin, and/or secret phrase to verify your identity. Other security measures that should be included in a project which utilizes the process of credit card transactions are Secure Socket Layer,

Answer 1

Few suggestions to ensure SQL server database security are:

• One of the most effeicient way to secure data in a Sql database is to use encryption. All the data especially sensitive data has to be stored in a manner which is not human readable or understandable. Various encryption algorithms can be used to encrypt the data and a private key will be generated. The person who knows the private key only can decrypt and read the original data.
• Authentication has to be provided to every user with a username and password.All the users data will be stored in the database. Unnecessary users should not be given access to the data. Whenever a user logs into the server with his username and password, these details will be cross checked with the data available in the database. The user will be provided access to the server only if his login credentials match with the details in database.
• The server must be attached to a power backup supply. A copy of all the data should be stored in a backup to ensure zero data loss. Whenever there is any security attack or power failures, the data can be recovered back from it's backup thereby preventing data loss.
• Various web based security methods are used to ensure connectivity accross a network. The data transmission from client to server should always be in a secured manner i.e use secure socket layer. The receiver should have a valid identity. Before sending the data, the client should check if the receiver is valid or not so that the data doesn't get lost during transmission and reaches the correct destination.