I have a JAVA application (Jersey, Hibernate, Spring) which is using MySql as database. Application is running completely fine. Now my client wants me to encrypt all data in database because it hold some confidential information as well. so for example if anybody directly logs in to MySQL he/she should not be able to view actual data but the encrypted data.
Actual data should be shown in correct for only using application.(In application we are maintaining user rights).
Please suggest do I need to make change at application layer. Application is quite big and if make changes for each and every query while inserting and retrieving data, it would take alot of time. Please suggest if there is any alternative way.
Regards,
Alex
MySQL does not provide transparent data encryption by default. I quick googling reveals some add on products that claim to do what you are looking for (personally, do not have any experience with them):
zNcrypt for MySQL
MyDiamo
I think you should evaluate these options.
Related
I need all the data backup storage on a regular basis on Salesforce to local database, so I wrote a program that calls the REST API /services/data/v53.0/sobjects access to all the sobjects, Then respectively according to their name call /services/data/v53.0 sobjects/XXX/describegot fields for each object, but I found that the fields I got did not match the fields in the object manager.
I've also tried using SOQL directly:
SELECT EntityDefinition.QualifiedApiName, QualifiedApiName, DataType
FROM FieldDefinition
WHERE EntityDefinition.QualifiedApiName = 'xxx'
But it still doesn't work, if I need to back up the CRM data to my own local database, what do I need to do? How do I get all the tables and all the fields and export them?
please help me!
There are a few ways to do this, but none of them are easy. In the past I have used addons that connect directly to Salesforce via MSSQL. One such application is purpose built for this use case. Its called DBamp. Unfortunately it is rather pricy. You can also connect to your Salesforce instance with integration software like Jitterbit, Mulesoft, DellBoomi or Talend. That approach would require creating an integration catered to the object you want the backup for.
On free side, you could use Excel to connect to your Salesforce instance and pull down whatever object you want, this is probably not an ideal solution though. Data Tab > Get Data > From Online Service > From Salesforce Object.
enter image description here
I have seen other solution like creating full copy sandboxes every week. The last option is connecting MSSQL to Salesforce via SSIS and an ODBC connector but this has been a pretty bad experience in the past, could just be me though.
I'm trying to implement Microsoft Azure's db as my mobile app backend. I'm having a hard time finding comprehensive documentation. I do see that I can query a table this way:
mToDoTable.where().year("due").eq(2013).and().startsWith("text", "PRI0")
What I'd like to do is twofold:
create complex joins on tables or
send a parameter to a View or stored procedure that implements the complex join on the server side.
But I can't figure out how to do either.
There's a .parameter() method, but no indication of how I can catch that on the server to do anything useful.
I was looking in the wrong place. It may be possible to directly query the SQL database, but that involves bypassing a lot of security and isn't really what I wanted.
The answer I found was that after setting up the database (and views and stored procs) in the SQL databse section of Azure, go to the Mobile Services section and create new APIs that run javascript and can run any sql, including query parameters.
I found this link very helpful: http://tapanila.net/windows-azure-mobile-services-custom-api-for-existing-sql-database/
I'm developing an app for Android which needs data of my server. My doubt is:
Is it safe to make a query from android to mysql?
Because... I was thinking to obtain a JSON with a PHP file, but I believe this is slower method. So, now i'm trying to make a query to mysql server without any PHP file, putting the password and the user of data base in the android project.
I need to know if someone could decompile my app and see my credentials in java files.
Are there other methods?
More than "safe", there's not a native way to send data from Android to a MySQL server. The correct way is implementing a web-service that receives the query (for instance, via HTTP POST), then handles it, connects to the local (or remote) database and executes the requested query (and possibly returns the result if needed).
As far as security goes, this seems to be a totally different question, but in this kind of architecture it seems that a Asymmetric encryption algorithm is what best fits this kind of transactions, as you can hardcode/download each time you need the public key for encrypting messages and they'll be only decrypted by the server side using the private key.
Hardcoding credentials into your app is pretty much a bad idea, because if someone who has some knowledge about this subject, will try crack you app, and if your app manages some financial sensitive data, they actually will try triplify efforts.
How to securely share key between two remote devices?
How dangerous might be publishing a public key?
You should be aware that people can always get the db user and password from the application. This allows them to login and drop your tables in the database.
Therefore creating a small web service that will do it for you gives you more security, since you can decide what operations is allowed to perform to the database.
Using a RESTful (in your case)PHP framework is the way to go. You can then use data from JSON or XML in your application. This way is definitely not slower. You can use this framework:
http://www.slimframework.com/
Or whatever your are using right now.
We are developing an application using java spring framework to manage multiple devices automatically. In the initial configuration of our application user selects the devices that needed to be managed and enters their credentials. At this time, we are saving these credentials in plain text into database. Now I needed to write an utility class to encrypt this sensitive data while saving it into DB and decrypt while retrieving them back. Basically, we don't want everyone to see these credentials by simply looking into db tables.
What is the best way to this? Sample code snippet is very helpful...
I believe that PasswordEncoder can help you.
I'm using JDBC to connect to a PostgreSQL database. We are trying to block access to the database for the users themselves; instead they should be forced to use our frontend. We blocked access to any table, and gave only procedures, which do all the work for users, still not giving them any opportunity to access data directly. We tried to block access to schema pg_catalog, which limits users to procedures we created, but it seems that this access is needed for JDBC to call any procedure.
Anyway, the question is either how to use JDBC without access to pg_catalog, or how to authorize only connections made by application, not user.
There is no fool proof way but the simplest is to use a username and password for the connection that you do not give to your users. Store the password in an encrypted configuration file. Ofcourse the encryption key can be retrieved from the application by a smart person.
For a really save system it would probably be best to put a service in front of the database that handles all security and provides a high level API to access the data and let the client connect to this.
The DBMS is being presented with a Catch-22 situation:
When a user runs a specific JDBC program to access the database, let it do its stuff.
When a user runs any other JDBC program to access the database, do not let it do its stuff.
How can the DBMS tell the difference between the two programs? As far as it is concerned, they are both clients that are using the correct protocol to communicate with the DBMS, and have identified themselves as a legitimate user of the database.
To make it work, you have to find a non-subvertible way to distinguish between the two applications. That is not trivial - to say the least.
There are kludges, but there isn't a clean solution. It is a generic problem that any DBMS faces when the problem is presented as in the question.
Well, just don't give your users an account on your postgresql database and create only an postgresql account for your application.