MonCapitan
asked on
Database security - request for data by business partner
Hi,
My boss has asked me to help with a request from an outside 'company' to provide information on our database. I might be going mad, completely wrong or in disbelief but I feel there are huge security implications to this. The initial request by the outside company is below...
1. What databases are you using?
2. Where are they hosted and who (what person) has access to them?
3. What is the current methodology you are using to tap into these databases for your website?
Then they make further requests...
"What we would ideally like to receive is as follows:
4. Electronic copy of sample data records for each club/location and all data fields, not just those displayed on the web
5. Format: any readable format e.g. .txt, rss, xml,
6. Volume: the more records the better, minimum 50 and ideally a random sample from all the databases
7. What is the total count of records held? (e.g. they hold 250 venue locations, 323 registrations)
8. Are you able to provide a data dictionary (a document which describes each field)
9. When was this data first collected/ created?
10. How is this data updated/refreshed and how frequently?"
Ok, so I am willing to provide an rss feed if they would like to use our data which is a common thing to do but it sounds to me like a lot of what they are asking for exposes our database way too much.
Forgive me if I am wrong but my alarm bells are going off. It would be good to get an official reaction to this from another developer/dba to back up my concerns.
Thanks for your time with this.
My boss has asked me to help with a request from an outside 'company' to provide information on our database. I might be going mad, completely wrong or in disbelief but I feel there are huge security implications to this. The initial request by the outside company is below...
1. What databases are you using?
2. Where are they hosted and who (what person) has access to them?
3. What is the current methodology you are using to tap into these databases for your website?
Then they make further requests...
"What we would ideally like to receive is as follows:
4. Electronic copy of sample data records for each club/location and all data fields, not just those displayed on the web
5. Format: any readable format e.g. .txt, rss, xml,
6. Volume: the more records the better, minimum 50 and ideally a random sample from all the databases
7. What is the total count of records held? (e.g. they hold 250 venue locations, 323 registrations)
8. Are you able to provide a data dictionary (a document which describes each field)
9. When was this data first collected/ created?
10. How is this data updated/refreshed and how frequently?"
Ok, so I am willing to provide an rss feed if they would like to use our data which is a common thing to do but it sounds to me like a lot of what they are asking for exposes our database way too much.
Forgive me if I am wrong but my alarm bells are going off. It would be good to get an official reaction to this from another developer/dba to back up my concerns.
Thanks for your time with this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your responses.
Apparently they are just a company that wishes to promote us and gain profit by using our data.
As I understand it they wish to publish this data which we have agreed to. So, surely all they need to ask us for is the 'type' of information e.g. Organization Name, Address, Contact email, website address etc. Surely they don't need to know our data schema but rather provide us with information on how THEY would like to receive the data i.e. format type (xml), length of field, titles of the fields etc. I can then provide the rss or text file etc.
If they just want us to share some data with them, surely they don't need to know anything about our data structure, where it is hosted, the type of database, tables and field names etc?
With a bit more detail, what would be your reaction to this?
Apparently they are just a company that wishes to promote us and gain profit by using our data.
As I understand it they wish to publish this data which we have agreed to. So, surely all they need to ask us for is the 'type' of information e.g. Organization Name, Address, Contact email, website address etc. Surely they don't need to know our data schema but rather provide us with information on how THEY would like to receive the data i.e. format type (xml), length of field, titles of the fields etc. I can then provide the rss or text file etc.
If they just want us to share some data with them, surely they don't need to know anything about our data structure, where it is hosted, the type of database, tables and field names etc?
With a bit more detail, what would be your reaction to this?
They may not be able to request the information if they don't knwo the information that is available, which is probably why they want all the fields - no issue with this.
It looks like it is in your company's best interest to conform as they are promoting your business.
They most likely want to know all their options so they can best promote the product or service. For example, if you are only able to provide a text feed once a month they will have to tailor their offering to that constraint. Again, it is in your best interest to promote as many delivery methods as is feasible.
Personally I would play ball with them but with some restrictions mainly on the data content you provide them - you never know what they are going to ultimately do with that data after all, and especially if it is related to clubs and perhaps personal data. Always be wary of giving access to personal data which is why I would mask the data to begin with.
It looks like it is in your company's best interest to conform as they are promoting your business.
They most likely want to know all their options so they can best promote the product or service. For example, if you are only able to provide a text feed once a month they will have to tailor their offering to that constraint. Again, it is in your best interest to promote as many delivery methods as is feasible.
Personally I would play ball with them but with some restrictions mainly on the data content you provide them - you never know what they are going to ultimately do with that data after all, and especially if it is related to clubs and perhaps personal data. Always be wary of giving access to personal data which is why I would mask the data to begin with.
I wholeheartedly agree with declanmcd here. It's best to work under the assumption that the info they get may one day be exposed to a party you don't trust, so give them only what they need to do what they do.
Mostly agreed. I just read item #6 as wanting some actual data, not sample data. If it's just sample data, that's not so bad. That said, exposing the database object names, formats, etc. *is* a security risk. It's not incredibly high on the radar as usually an attacker can get at that info via other means, but it's still something that could aid an attacker. That said, I agree it sounds like an auditing request or a partnership is in place.