Computerworld - When it comes down to it, a security manager's job is about protecting information assets. But no matter what kind of business you're in, if you can't find all the data, you can't protect it.
Users put data where they need it, and they don't think about who has to know what they're up to in order to protect the data. The problem for security staffs is identifying where all the data is and making sure the proper controls are in place to protect the information.
We recently discovered that agency personnel often create Microsoft Access databases to help them manipulate data and create reports. The users who originate such databases, or the heads of their departments, may be deemed the owners of the data, but IT remains its custodian. Unfortunately, many data owners don't understand the concept of security controls, or even the need for them. It becomes the responsibility of IT security to implement the necessary controls.
Ideally, IT security would understand how people work, what they need and what they are trying to accomplish. Then we could get in front of any effort to manipulate data to make sure that something like an Access database has the proper security controls in place. That's not usually how things go. Generally, data is saved in various formats and then e-mailed, transferred, shared and printed. Afterward, the original data has morphed and has numerous owners and locations.
The realization that users were putting data that could be considered sensitive in Access databases meant I had some homework to do. I have very little understanding of how to secure an Access database, but whenever data that is considered electronic protected health information under the federal Health Insurance Portability and Accountability Act is involved, I have to make sure it is well protected.
I asked the IT person who provides Access database support how such files are secured. At first I got a blank stare, but then he responded, "We rely on file system permissions, basically." That made sense. Access output is treated like output from any other Microsoft Office program, such as Word or Excel. But I needed to know more.
Microsoft's Web site didn't give me a lot of answers, so I ended up checking the help menu from my copy of Access. I learned that there are some strategies for securing Access, but none of them is very good. Here are the techniques I found out about:
Encryption/decryption: This is the simplest method, but it only prevents the database from being opened by a tool or utility it doesn't recognize, like a word processor. It doesn't prevent anyone from opening an unsecured database using Access.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
