Sql) Database and Its Middleware Application and Their Secure Implementation Within Thinclient Environments Melissa D

Sql) Database and Its Middleware Application and Their Secure Implementation Within Thinclient Environments Melissa D

Regis University ePublications at Regis University All Regis University Theses Fall 2008 An Investigation of the Security Designs of a Structured Query Language (Sql) Database and its Middleware Application and their Secure Implementation Within Thinclient Environments Melissa D. Winner-Leoni Regis University Follow this and additional works at: https://epublications.regis.edu/theses Part of the Computer Sciences Commons Recommended Citation Winner-Leoni, Melissa D., "An Investigation of the Security Designs of a Structured Query Language (Sql) Database and its Middleware Application and their Secure Implementation Within Thinclient Environments" (2008). All Regis University Theses. 121. https://epublications.regis.edu/theses/121 This Thesis - Open Access is brought to you for free and open access by ePublications at Regis University. It has been accepted for inclusion in All Regis University Theses by an authorized administrator of ePublications at Regis University. For more information, please contact [email protected]. Regis University College for Professional Studies Graduate Programs Final Project/Thesis Disclaimer Use of the materials available in the Regis University Thesis Collection (“Collection”) is limited and restricted to those users who agree to comply with the following terms of use. Regis University reserves the right to deny access to the Collection to any person who violates these terms of use or who seeks to or does alter, avoid or supersede the functional conditions, restrictions and limitations of the Collection. The site may be used only for lawful purposes. The user is solely responsible for knowing and adhering to any and all applicable laws, rules, and regulations relating or pertaining to use of the Collection. All content in this Collection is owned by and subject to the exclusive control of Regis University and the authors of the materials. It is available only for research purposes and may not be used in violation of copyright laws or for unlawful purposes. The materials may not be downloaded in whole or in part without permission of the copyright holder or as otherwise authorized in the “fair use” standards of the U.S. copyright laws and regulations. An Investigation of the Security Designs of a Structured Query Language (SQL) Database and its Middleware Application and their Secure Implementation within Thin­ client Environments. by Melissa D. Winner­Leoni [email protected] A Thesis/Practicum Report submitted in partial fulfillment of the requirements for the degree of Master of Science in Computer Information Technology School of Computer and Information Sciences Regis University Denver, Colorado October 5, 2008 Melissa Winner­Leoni Thesis 2008 Abstract The Information Portability and Accountability Act (HIPAA) and The Sarbanes­ Oxley (SOX) regulations greatly influenced the health care industry regarding the means of securing financial and private data within information and technology. With the introduction of thin­client technologies into medical information systems (IS), data security and regulation compliancy becomes more problematic due to the exposure to the World Wide Web (WWW) and malicious activity. This author explores the best practices of the medical industry and information technology industry for securing electronic data within the thin­client environment at the three levels of architecture: the SQL database, its middleware application, and Web interface. Designing security within the SQL database is not good enough as breaches can occur through unintended consequences during data access within the middleware application design and data exchange design over computer networks. For example, a “hospital’s medical records, which are routinely exchanged over computer networks, are subject to the audit control an encryption requirements mandated for data security.” (Department of, 2008). While there is an overlapping of security techniques within each of the three layers of architectural security design, the use of 18 methodologies greatly enhances the ability to protect electronic information. Due to the variety of IS used within a medical facility, security conscientiousness, consistency of security design, excellent communication between designers, developers and system engineers, and the use of standardized security techniques within each of the three layers of architecture are required. ii Melissa Winner­Leoni Thesis 2008 Acknowledgments In the loving memory of Jacob, for without him I would have never learned the fundamental concept: I am only limited by that which my mind cannot perceive. My heart filled thanks to all those in the medical industry who gave their time and information. I offer a special thank you to all the professors and advisors who worked diligently to assist me with my studies. A loving thanks to my greatest supporters who continually gave me encouragement, Esther, Elizabeth, Mary, Bill, and Hank. I could not have done this without them being a part of my life. iii Melissa Winner­Leoni Thesis 2008 Table of Contents Abstract .............................................................................................................................. ii Acknowledgments ............................................................................................................ iii Table of Contents ............................................................................................................. iv Executive Summary ...........................................................................................................1 Chapter 1 – Introduction ..................................................................................................3 1.1 – SOX Compliance ..............................................................................................3 1.2 – HIPAA Compliance .........................................................................................4 1.3 – SOX and HIPAA Impact ................................................................................8 1.3.1 – Exceptions to the SOX and HIPAA laws ...............................................8 1.3.2 – Flexible Security Solution with SOX and HIPAA Compliance ............9 Chapter 2 – Review Literature and Research ...............................................................10 2.1– Networking Security ........................................................................................11 2.1 ­ User ID and Passwords .............................................................................14 2.2 – Database Security ...........................................................................................16 2.2.1 ­ User Roles and Groups ..........................................................................17 2.2.2 ­ SQL Database Views .............................................................................18 2.2.3 ­ Data Encryption within the Database ....................................................19 2.2.4 ­ Pseudonymization ..................................................................................20 2.2.5– SQL Database Update on CRUD ...........................................................21 2.2.6 ­ Audit Logs and Audit Tables .................................................................21 2.3 – Application Security .......................................................................................22 2.3.2 ­ Data Access Layer .................................................................................25 2.3.3 ­ Business Layer .......................................................................................25 2.3.4 ­ User Interface Layer ..............................................................................26 iv Melissa Winner­Leoni Thesis 2008 2.3.5 ­ Presentation Layer .................................................................................26 2.4 - Web Publishing Security ................................................................................26 2.4.1 – Certificates and SSL ..............................................................................31 2.4.2 – Breaching of Network Information and Code Disclosure.....................31 2.5 – Summary of Security Practices .....................................................................32 Chapter 3 – Security Methodologies ..............................................................................34 3.1– Security Breach Beyond User ID or Group ..................................................37 3.1.1 – Limiting the Possibilities for SQL Injection and Malicious Activity ...37 3.1.2 – Limiting User by Views ........................................................................39 3.1.3 – Employee Security Breach ....................................................................41 3.1.4 – Troubleshooting with audit logs and audit tables .................................42 3.2 – Database Design Security ...............................................................................43 3.2.1 – AES Data Encryption ............................................................................44 3.2.2 – Procedures, Functions and Triggers ......................................................45 3.2.3 – Limiting Data and Disallowing Special Characters ..............................46 3.2.4 – Restricting Users ...................................................................................46 3.3 - Application Design Security ...........................................................................47 3.3.1 – Malicious Activity .................................................................................47

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    106 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us