troubleshooting Question
need to understand different ways of restricting data access, to meet government guidelines
asked on
In our government agency, we are required to "harden" databases, e.g., database access, prevent Personally Identifiable Information from unauthorized access, etc.
The chosen solution is leave current data in the ERP d.b. (~5 years) and delete everything else. The data warehouse then contains all data back to the beginning of time, and it's refreshed weekly. So historical reporting that previously was done from the main ERP database will have to be re-directed to the DW.
My question is this - isn't it reasonable (from a security perspective) to restrict data to current (~5 years) via security profiles ?
For example
- implement VPN policies (this is a non-programmatic solution)
- simply implement views and restrict data (Oracle views or BusinessObjects "views")
- could partitions be a way of restricting data access ?
My perspective on this is that we currently do all reporting out of the ERP database. But creating the DW means that now we have TWO very big databases to maintain. So all kinds of views, functions, procedures, etc. now have to be maintained in the DW in addition to the main ERP system. Why not let the computer do the work, instead of two physical databases ?
I also have recently come to learn about in-memory computing, and Professor Plattner of SAP (1st 5 minutes) says in-memory computing (via Hana of course) REDUCES code footprint, data footprint, etc., so much so that the DW isn't even necessary !
So my main question again is - is it really necessary to physically segregate the data to "harden" access ? Couldn't the power of the computer meet this "hardening" criteria ?
The chosen solution is leave current data in the ERP d.b. (~5 years) and delete everything else. The data warehouse then contains all data back to the beginning of time, and it's refreshed weekly. So historical reporting that previously was done from the main ERP database will have to be re-directed to the DW.
My question is this - isn't it reasonable (from a security perspective) to restrict data to current (~5 years) via security profiles ?
For example
- implement VPN policies (this is a non-programmatic solution)
- simply implement views and restrict data (Oracle views or BusinessObjects "views")
- could partitions be a way of restricting data access ?
My perspective on this is that we currently do all reporting out of the ERP database. But creating the DW means that now we have TWO very big databases to maintain. So all kinds of views, functions, procedures, etc. now have to be maintained in the DW in addition to the main ERP system. Why not let the computer do the work, instead of two physical databases ?
I also have recently come to learn about in-memory computing, and Professor Plattner of SAP (1st 5 minutes) says in-memory computing (via Hana of course) REDUCES code footprint, data footprint, etc., so much so that the DW isn't even necessary !
So my main question again is - is it really necessary to physically segregate the data to "harden" access ? Couldn't the power of the computer meet this "hardening" criteria ?
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 12 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.