Devolutions ForumDevolutions Forum

About Security whn using Azure SQL Database

About Security whn using Azure SQL Database

avatar
rodrigoribeiro

Hi,

I have question about security of data on RDM when using Azure SQL Database.

How RDM prevent data of other users (in user vault, for example) to be queirs and decrypted if my users can access SQL database tables directly?
I known that RDM use security passphrase, but if all my users knowns the phrase, then it is able to decrypt any entry if it access database directly, right?

If no, can you provide mais details about how RDM works to prevent this?

All Comments (3)

avatar
Stéfane Lavergne

Once users have access to the underlying database, protecting the data from malicious manipulation becomes difficult. RDM has a few options/features that can be used/configured to reduce/eliminate the scope of possible manipulations.

RDM + Devolutions Server (DVLS), this is the most secure option. Since RDM accesses the data via the DVLS API users don't have access to the database.

or

Use custom authentication in RDM. With custom authentication, you use a user for the database access and the custom user for the authentication. Users don't have access to the database.

Also note we will be enhancing vault security with the addition of per vault (shared or user) security provider in the v2021.2 release of RDM (late Q2 to early Q3 2021).

Best regards,

Stéfane Lavergne

avatar
rodrigoribeiro

Hi. Thanks answer.

Talking about security of custom authentication:

  1. I understand that I need provide a fixed databse connection credentials to my users, right?
  2. If 1 is right, then, I have only 2 options for this:
    1. store in rdd file and share it
    2. or type whenever a share with a new user.




For option 2.a, how rdm encrypts data in rdd file? It uses a fixed built-in set of keys?

And more one point about security specific with sql server: there are a feature on sql server called ownership chaining. Basically, this allows an user runs stored procedures (since it have execute permissions on the proc) and access tables that it don't have permission. Basically user can call a proc p1 that access table t1, same if user don't have select on the. If user logs into directly on database , it cannot select direct on to, just runs procedures.

We have some chance to see this implemented in Rdm for sql data source?

avatar
Stéfane Lavergne

1 - Correct
2 - You can also use our custom installer service, it will pre-package your data source configuration within the RDM installer. The new user will only need to set their username & password.

2.a - correct

At this time, there is nothing in the pipeline to implement security via stored procedures/views using ownership chaining.

Best regards,

Stéfane Lavergne