I am concerned that an Access 2007 db is not secure enough and that you
should use MySQL or Oracle. Is this true and why?

Billiam wrote:
> I am concerned that an Access 2007 db is not secure enough and that
> you should use MySQL or Oracle. Is this true and why?

If you are concerned about securing a file-based system like Access/Jet from
*non-users* then you protect it with network security, not Access security.
If you are worried about securing data from *users* of the file then yes,
you are better of with a server database engine. No file-based system will
be as secure as a server-based system.

--
Rick Brandt, Microsoft Access MVP
Email (as appropriate) to...
RBrandt at Hunter dot com

Access 2007 uses Windows Security. Is Windows Security secure
enough for you? If not, you should not use Windows.

Windows Security does not give you record-level security. Do you
need record-level security? i.e. some people can see some data,
other people only see other data? If you need record-level security,
you need an additional record-level security system.

The record-level security system in MDB files is very old, does
not use Windows Security, and is not secure. If you need secure
record-level security, you should use MS SQL Server (or MySQL
or Oracle, but only if you already use those systems) with Access.

The role-based security system in Access is also very old,
does not use Windows Security, and is not secure. If you need
secure role-based security, you should not use Access. You
should use C++ or C# or VB.net, so that a connection can
be associated with certificate. If you use Access, there is no
secure way to prevent a user from using Excel to do anything
that the same user can do in Access.

Access is just as secure as your corporate server is. It does not
make your corporate server less secure. It does not add any
new security features to your corporate server.

If you need new features, you need to add a new service that has
the new features. Adding a new service, or a new server, is
automatically less secure. Adding a new Oracle or MySQL server
will give you a new security weakness, will not make you more
secure, but will give you new things you can do.

If you need to securely do things that Access cannot securely do,
you need to a new service to do those things. It is not about if
Access/Windows is secure enough: Windows 3.1 was not secure.
Windows 98 was not secure. Windows Server 2003 is secure if
you secure it.

Word doc files on your corporate server are secure enough if
properly secured, but may not have all the database features
you want. Email files on your corporate server are secure enough
if properly secured, but may not have all the database features
you want. XLS files on your corporate server are secure enough
if properly secured, but may not have all the database features
you want. MDB files on your corporate server are secure enough
if secured properly, but may not have all the database features
you want. MSACCESS.exe on your workstation using Oracle
is secure enough if properly secured, but may not have all the
database features you want.

In particular, secure record-level access control is not available
with MDB files: (insecure record-level access control is available),
and secure role-based access is not available with MSACCESS
(insecure role-based access control is available). Secure table-
level access control is difficult to implement, and would also be
a reason for choosing Access with MySQL/Oracle/SQL Server
instead of Access with MDB.

(david)



"Billiam" <(E-Mail Removed)> wrote in message
news:60C6503D-8E42-4232-A34E-(E-Mail Removed)...
>I am concerned that an Access 2007 db is not secure enough and that you
> should use MySQL or Oracle. Is this true and why?

Thanks for your great reply, David. If I understand you correctly, our access
2007 data should be okay on a properly secured microsoft Small business
server network from *non-users*--from the internet, for example. We are not
concerned about our very small group of users (although I am sure many think
this is foolish!).


Billiam

"david" wrote:

> Access 2007 uses Windows Security. Is Windows Security secure
> enough for you? If not, you should not use Windows.
>
> Windows Security does not give you record-level security. Do you
> need record-level security? i.e. some people can see some data,
> other people only see other data? If you need record-level security,
> you need an additional record-level security system.
>
> The record-level security system in MDB files is very old, does
> not use Windows Security, and is not secure. If you need secure
> record-level security, you should use MS SQL Server (or MySQL
> or Oracle, but only if you already use those systems) with Access.
>
> The role-based security system in Access is also very old,
> does not use Windows Security, and is not secure. If you need
> secure role-based security, you should not use Access. You
> should use C++ or C# or VB.net, so that a connection can
> be associated with certificate. If you use Access, there is no
> secure way to prevent a user from using Excel to do anything
> that the same user can do in Access.
>
> Access is just as secure as your corporate server is. It does not
> make your corporate server less secure. It does not add any
> new security features to your corporate server.
>
> If you need new features, you need to add a new service that has
> the new features. Adding a new service, or a new server, is
> automatically less secure. Adding a new Oracle or MySQL server
> will give you a new security weakness, will not make you more
> secure, but will give you new things you can do.
>
> If you need to securely do things that Access cannot securely do,
> you need to a new service to do those things. It is not about if
> Access/Windows is secure enough: Windows 3.1 was not secure.
> Windows 98 was not secure. Windows Server 2003 is secure if
> you secure it.
>
> Word doc files on your corporate server are secure enough if
> properly secured, but may not have all the database features
> you want. Email files on your corporate server are secure enough
> if properly secured, but may not have all the database features
> you want. XLS files on your corporate server are secure enough
> if properly secured, but may not have all the database features
> you want. MDB files on your corporate server are secure enough
> if secured properly, but may not have all the database features
> you want. MSACCESS.exe on your workstation using Oracle
> is secure enough if properly secured, but may not have all the
> database features you want.
>
> In particular, secure record-level access control is not available
> with MDB files: (insecure record-level access control is available),
> and secure role-based access is not available with MSACCESS
> (insecure role-based access control is available). Secure table-
> level access control is difficult to implement, and would also be
> a reason for choosing Access with MySQL/Oracle/SQL Server
> instead of Access with MDB.
>
> (david)
>
>
>
> "Billiam" <(E-Mail Removed)> wrote in message
> news:60C6503D-8E42-4232-A34E-(E-Mail Removed)...
> >I am concerned that an Access 2007 db is not secure enough and that you
> > should use MySQL or Oracle. Is this true and why?
>
>
>

I agree. Committing anything to paper - or to computer - is always
a security risk, but if your Oracle Server is more secure than your
File Server, you've got something set up wrong.

(david)

"Billiam" <(E-Mail Removed)> wrote in message
news43B622E-8FAE-451A-92A6-(E-Mail Removed)...
> Thanks for your great reply, David. If I understand you correctly, our
> access
> 2007 data should be okay on a properly secured microsoft Small business
> server network from *non-users*--from the internet, for example. We are
> not
> concerned about our very small group of users (although I am sure many
> think
> this is foolish!).
>
>
> Billiam
>
> "david" wrote:
>
>> Access 2007 uses Windows Security. Is Windows Security secure
>> enough for you? If not, you should not use Windows.
>>
>> Windows Security does not give you record-level security. Do you
>> need record-level security? i.e. some people can see some data,
>> other people only see other data? If you need record-level security,
>> you need an additional record-level security system.
>>
>> The record-level security system in MDB files is very old, does
>> not use Windows Security, and is not secure. If you need secure
>> record-level security, you should use MS SQL Server (or MySQL
>> or Oracle, but only if you already use those systems) with Access.
>>
>> The role-based security system in Access is also very old,
>> does not use Windows Security, and is not secure. If you need
>> secure role-based security, you should not use Access. You
>> should use C++ or C# or VB.net, so that a connection can
>> be associated with certificate. If you use Access, there is no
>> secure way to prevent a user from using Excel to do anything
>> that the same user can do in Access.
>>
>> Access is just as secure as your corporate server is. It does not
>> make your corporate server less secure. It does not add any
>> new security features to your corporate server.
>>
>> If you need new features, you need to add a new service that has
>> the new features. Adding a new service, or a new server, is
>> automatically less secure. Adding a new Oracle or MySQL server
>> will give you a new security weakness, will not make you more
>> secure, but will give you new things you can do.
>>
>> If you need to securely do things that Access cannot securely do,
>> you need to a new service to do those things. It is not about if
>> Access/Windows is secure enough: Windows 3.1 was not secure.
>> Windows 98 was not secure. Windows Server 2003 is secure if
>> you secure it.
>>
>> Word doc files on your corporate server are secure enough if
>> properly secured, but may not have all the database features
>> you want. Email files on your corporate server are secure enough
>> if properly secured, but may not have all the database features
>> you want. XLS files on your corporate server are secure enough
>> if properly secured, but may not have all the database features
>> you want. MDB files on your corporate server are secure enough
>> if secured properly, but may not have all the database features
>> you want. MSACCESS.exe on your workstation using Oracle
>> is secure enough if properly secured, but may not have all the
>> database features you want.
>>
>> In particular, secure record-level access control is not available
>> with MDB files: (insecure record-level access control is available),
>> and secure role-based access is not available with MSACCESS
>> (insecure role-based access control is available). Secure table-
>> level access control is difficult to implement, and would also be
>> a reason for choosing Access with MySQL/Oracle/SQL Server
>> instead of Access with MDB.
>>
>> (david)
>>
>>
>>
>> "Billiam" <(E-Mail Removed)> wrote in message
>> news:60C6503D-8E42-4232-A34E-(E-Mail Removed)...
>> >I am concerned that an Access 2007 db is not secure enough and that you
>> > should use MySQL or Oracle. Is this true and why?
>>
>>
>>