How do I make my database secure?

C

COHENMARVIN

I have a sql server database hosted by an ISP. It has credit card
fields. I want to make the database secure.
My asp.net pages refer to the database as follows:
strConnection =
ConfigurationSettings.AppSettings["ConnectionInformation"];
Which means they get the connectionstring for the database from a
web.config file.
The web.config file has the following tags:
<appSettings>
<add key="ConnectionInformation"
value="Server=sql2k5.earthweb.com;Database=merc_One;uid=usa_hvtest;password=vinyl"
/>
</appSettings>
Is there some way to encrypt the connection string? Would it be
encrypted in the web.config? Could some hacker get at the web.config?
Are there any other security measures I could take? For instance,
could the creditcard fields be encrypted in the database?
Thanks in advance for any pointers.
-- Marvin
 
B

Bruce Barker

unless you are on a dedicated server, you are not too secure. other websites
hosted by asp.net have permission to open your web config and read it (as
the asp.net process need access).

asp.net allows encryption by storing the connect string in the registry, but
your isp would have to support this. you could encrypt it yourself, but the
trick is where to store the key (other sites have access to bin, and can
decompile your code to see the decryption code). you should also encrypt in
the database, because you need to secure backups also. when the banks
exposed their cc list, it was thru a lost backup tape.

..net has encryption routines, you shoudl look at using them.

-- bruce (sqlwork.com)
 
N

Norman Yuan

Besides what said in other post, when storing sensitive data, such as credit
card info, you should not store the data in database as clear text. You
should encrypt the data itself before place it into database. And then when
your app reads these data, you decrypt them. So that the data is not
physically readable by anyone other than your app.
 
J

John Murray

Even with encryption, the system has to have a key, and in a shared
hosting environment, it is going to be extremely difficult to come up
with a way to protect that key .... If someone is able to penetrate the
system and get direct access to the SQL Server .... then chances are
they are going to be able to scan your code to find the encryption keys,
or how you are obfuscating them.





Norman said:
Besides what said in other post, when storing sensitive data, such as credit
card info, you should not store the data in database as clear text. You
should encrypt the data itself before place it into database. And then when
your app reads these data, you decrypt them. So that the data is not
physically readable by anyone other than your app.

I have a sql server database hosted by an ISP. It has credit card
fields. I want to make the database secure.
My asp.net pages refer to the database as follows:
strConnection =
ConfigurationSettings.AppSettings["ConnectionInformation"];
Which means they get the connectionstring for the database from a
web.config file.
The web.config file has the following tags:
<appSettings>
<add key="ConnectionInformation"
value="Server=sql2k5.earthweb.com;Database=merc_One;uid=usa_hvtest;password=vinyl"
/>
</appSettings>
Is there some way to encrypt the connection string? Would it be
encrypted in the web.config? Could some hacker get at the web.config?
Are there any other security measures I could take? For instance,
could the creditcard fields be encrypted in the database?
Thanks in advance for any pointers.
-- Marvin
Click to expand...
Click to expand...
 
G

Guest

You could try to talk your ISP into importing a Key and follow one of the
docs on how to use aspnet_regiis to create a RSA key and export to them.


--
(e-mail address removed).<Remove This Before Emailing>

Network & Software Integration
www.n-sv.com

"Helping put the pieces of your IT puzzle together"
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

I need help in understanding these files on my phone, Could someone help me understand these files? Urgent help needed. Please help. 3
How secure is MSAccess? 6
How do I connect to my database when I'm using IIS (connecting via http://localhost/...) 1
How can ASPNET access the Northwind database 1
Connect to remote DataBase 3
SSL site administration secure? 0
accessing web.config from another proj in same soln 4
Connecting external web application with internal database 3

Members online

No members online now.
Total: 295 (members: 3, guests: 292)
Robots: 430

Forum statistics

Threads
473,967
Messages
2,570,148
Members
46,694
Latest member
LetaCadwal

Latest Threads

Top