Does insert only db access offer any additional security

Question

There are concerns that if our public facing web nodes are compromised, an attacker will gain access to all our data. It just so happens that data entered from outside users only needs to be ever accessed by internal users.

Does it offer any additional security, if we only give web nodes insert access, and only allow read/write access from internal facing nodes?

A related idea would be to use messaging to pass the write message from the web node to the internal node which would handle all DB modification.

My gut tells me these would both mitigate data leakage on a web node breach. Is there anything I'm overlooking?

Answer 1

The short answer is "Yes", it does offer some additional security as you make it more difficult for an attacker to gain the information these outside users are entering.

The long answer is that a focused attacker could:

1. use the compromised web nodes to hijack your outside users towards his server or inject malware, likely with little difference to be noted in the web interface as he has access to your page sources
2. use the compromised web nodes to capture future data that is entered by outside users and forward this data to his servers for capture, thereby over time replicating parts of your database
3. traverse from the web node to the internal network over time, for example through new security holes found in the database interface or any other interface you expose to the web nodes

Answer 2

Absolutely! However, the terminology would be an insert-only user. You would still use the same DB.

Most database servers have a concept of access control internally, which is independent of the OS access control.

Basically, the insert only user would only have INSERT privilege, and then only for the particular tables it should insert into.

This would limit the scope of SQLi attacks quite a bit.

See: What are the security benefits to a separate user database?