sbornstein2
asked on
Anyone a security guru out there WCF question.
Hello all,
I need some opinions on this and education really as I continue to research. I work at a company where we have sensitive data in a core Intranet based application in-house of course. The backend is a SQL Server database. There is a need to expose externally to some vendors some of the data within the core system as well as 'provide' us some data we would be inserting or updating to a few tables. We created a service layer to eventually be able to expose some of our service call methods such as gets etc. external to our application. So I have a few questions I am concerned about and need to understand better:
- Is it good practice to have a second database that only has data relevant to the external based system to have that separation. My thinking is this is kind of getting away with secure WCF messaging so this would be a waste of time. If they can compromise a second database why not the first etc. Then the idea would be replication etc. to move data back and forth to our core database. This is the main question that came up as the core database has a lot of sensitive data.
- Not sure where we would be 'hosting' this external application but of course it would be on the DMZ so it can be exposed. Any thoughts or use case scenarios on this is it WCF with certificate based security etc.
Anyway I know this is a loaded question but looking to understand it better because of the personal data we need to be careful is not exposed. I am not a WCF guru and have used in the past here and there.
Thanks for any information, links etc. you can provide.
I need some opinions on this and education really as I continue to research. I work at a company where we have sensitive data in a core Intranet based application in-house of course. The backend is a SQL Server database. There is a need to expose externally to some vendors some of the data within the core system as well as 'provide' us some data we would be inserting or updating to a few tables. We created a service layer to eventually be able to expose some of our service call methods such as gets etc. external to our application. So I have a few questions I am concerned about and need to understand better:
- Is it good practice to have a second database that only has data relevant to the external based system to have that separation. My thinking is this is kind of getting away with secure WCF messaging so this would be a waste of time. If they can compromise a second database why not the first etc. Then the idea would be replication etc. to move data back and forth to our core database. This is the main question that came up as the core database has a lot of sensitive data.
- Not sure where we would be 'hosting' this external application but of course it would be on the DMZ so it can be exposed. Any thoughts or use case scenarios on this is it WCF with certificate based security etc.
Anyway I know this is a loaded question but looking to understand it better because of the personal data we need to be careful is not exposed. I am not a WCF guru and have used in the past here and there.
Thanks for any information, links etc. you can provide.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
WCF Security Token Service
http://msdn.microsoft.com/en-us/library/ee748498.aspx
Here is some good reading material on WCF security:
Fundamentals of WCF Security
http://www.codemag.com/article/0611051