ISOBLUE

View Original

Database Security: Knack Approach

Knack Security

Data security is a legitimate concern - It’s something we are asked about a lot when we are working with clients, perhaps needing to reassure themselves or others.

Balance

I work as a business analyst. That means I work with commercial (and non-profit) clients helping them solve tech-business challenges: Overcoming technical and business problems to deliver change! Security concerns are valid, of course but there needs to be both context and fairness: There are no absolutes.

It's important to weigh the likelihood of an attack - ie the value of the data to bad actors and the size of their motivation versus reasonable protection. This balance requires a fair and informed analysis: Failure to apply common sense has held back so many promising projects and can result in a lack of agility in developing solutions.

Alternatives

When we address some of the concerns clients have - when considering an online database - the alternatives are rarely held to the same standard. Ironically, a well implemented secure online database offer much greater security that an unencrypted, unlocked file an a personal laptop or shared drive on a corporate network.

No system is perfectly secure. There is a balance to be struck between practicality, cost and benefits on the one hand, versus risk and the attraction/value of the information on the other.

Knack is a very powerful online tool that addresses the key vulnerabilities of online systems and does a great job of protecting the information you need holding securely:

In short, Knack offers what many consider to be a reasonable level of protection in most use cases.

ASPECTS OF SECURITY:

  • Encryption (Manage Data)
  • Control Access (Manage People!)
  • Prevent Code Injections
  • IP Whitelist

1. Encryption (Data)

Data is vulnerable in two ways: A: when it’s stored and B: when it’s moved across the internet by being added to/updated etc: termed Resting Data, and In-Transit Data.

In Knack, The data is stored 128bit encrypted (Scrambled) resting data, and enforced HTTPS protocol ensures 128 bit encryption in transit. Meaning that even if anyone broke in or intercepted packets of data, all of the data is scrambled and meaningless (That’s bank level security.)

Additionally in the US the tool is certified to HIPPA standards (Thats a US standard for the storage and exchange of Healthcare data between providers) More information is here: https://www.knack.com/tour/security/ We have worked with databases for over 25 years, and in our opinion, this is the most secure system currently available… Much more so than on a computer at home/office or an unencrypted, unlocked file on a company network.

2. Access Control (People !)

In reality, most failure of security is social/human - someone sharing their password with a plausible stranger - eg ’this is tech support I need to login can you give me your login….’ etc. People are often said to be the cause of most database breaches.

This 128bit encryption at rest and in transit, is practically un-hackable… it would need the resources of a nation state to get even close to a 'brute force' breach. So the focus of 'bad actors’ tend to be on circumventing the locked front door, and gaining access via a password! knack goes to sensible lengths to secure password usage:

  • Passwords have to comply with a secure standard. - 8 Characters, No common words, At least 1 number, one uppercase letter, one lowercase letter and one special character
  • Each page is subject to security rules and people can be given access to some areas but not others…
  • Users are automatically logged out after a variable interval - for example 30 minutes of inactivity. (Can be set to as little as 1 minute)
  • Passwords can be set to expire every 60 days
  • Users cannot use any of the last three passwords
  • After 3 failed logins, the user is locked out for 15 minutes. (Prevents fishing/guessing passwords)
  • Cookie Password method is industry best practice.

3. Code Injection Attacks

Assuming Access based hack prevention has been successful, there is a final way of gaining access, and that is to insert code in an otherwise ordinary form….

This requires a so called 'script attack' - Prevention of script attacks which means that the database cant be attacked using code injected as though it was data in a field. (This is always enabled on all of my systems).

4. Further steps if required.

It is possible to allow access for a restricted range of IP addresses (computers, and internet access points and devices including routers all have an IP address which uniquely identify them) A Whitelisted IP approach to access still requires a password but means that only a designated IP address can be used to gain access to the login screen. This is relatively extreme and only used in highly managed use cases.

SUMMARY

  • The data is Bank level (128bit) encrypted (scrambled) unless someone can log in - it’s meaningless.
  • No-one can access the information unless they have a secure account created for them, ( This is not the case with an unlocked spreadsheet, which could be accessed by anyone with access to that drive… or by a visitor to the office distracting the staff and taking the file….)
  • The log-in protocols are strictly managed to prevent carelessness which is the cause of most ‘hacks'

Chris Bampton.

Chris Bampton is a business analyst with nearly 30 years experience in designing, delivering and training tactical database solutions.

for a free 1:1 conversation to explore isoblue analyst services and Knack - please call us or email chris@isoblue.com