3

Suppose the following scenario:

1- A web app (on WEBSERVER1) and its database (on DBMS1) having very sensible information deployed in the same physical server (lets said that for simplification). Users interact with the the web app under the umbrella of specials securities measures, these security measures take in consideration the fact that web app users are few persons and that those persons have an special network location respect where the DMBS1 and WEBSERVER1 are. I said this to sentence that some of the applied security measures (applied to protect the data in the DBMS1 and access to the WEBSERVER1) just can be applied to the users that meet this conditions, lets call this set of users USERS1.

2- Other users and applications (through API exposure) need access data (CRUD) in the DBMS1 too (lets call them USERS2), but we can't applied the same securities measures to USERS2 than we applied to USERS1 due theirs physical location, amount of users and control over them. Beside, is very important that authorization be enforced to USERS2, I mean, USERS2 just can access the data of the DBMS1 they were authorized to access.

One colleague suggest increase security having a different DBMS2 and a different WEBSERVER2 deployed, isolated from the main DBMS1 and WEBSERVER1, to allow USERS2 CRUD on data. As far I can see, this imply have a mechanism to synchronize data from one DMBS to another. Firewall and credentials could be set in a way that even DBMS2 server get compromised the intruder can't violate authorization policies and write data to DBMS1. To archive this must be a map between USERS2 authorization settings (specified in DBMS1) and the data replicated-syncronized between DBMS1 and DBMS2 and the process of data replication be initiate from server group of DBMS1, having them DMBS1 server the credentials to access DMBS2 while DBMS2 server don't know nothing of how to access DBMS1.

I think that the value this kind of architecture consist in having isolated-contained whatever exploitable security hole USERS2 could found in the deploy of the DBMS and the WEBSERVER2 which they are interacting with.

I just want note that USERS2 credentials protection and security measures compliance is outside the domain of the organization that management DMBS1.

My questions are:

Exist something written about this kind of architecture? What about tools/procedures to automatize the process of DMBS2 creations and modifications depending of authorization policies?

I would appreciate any help or orientation, critics about this architecture.

I'm including a diagram to support the explanation, arrow direction just matter regard of who initiate the communication... I know I know, the graphic is terrible, but I hope add some information. enter image description here

EDIT: Is evident the parallel of this DBMS-Web_Server architecture with the a DZM Dual firewall

  • `lets said that for simplification` This is a confusing statement. Is the database on your web server or not? This is a very important piece of the equation... – Abe Miessler Oct 10 '13 at 20:08
  • @AbeMiessler Thanks for you reply. If the database is on my web server or not is not important, that is just a deployment decision that not affect communication directions and due to not impose an extra barrier in the security architecture I'm talking about. Of course that a database server be deployed in another physical server bring some extra protection, but if the web server is seriously compromised, in most scenarios database will be too. –  Oct 11 '13 at 12:59

1 Answers1

2

I am having a hard time understanding your question, but let me attempt an answer. It sounds like you have two groups of users:

  • Internal Web App Users
  • External API users

It also sounds like these users need different levels of access to the same database.

If the above is true then I would suggest the following structure:

  • Web server hosting the web app and the API. Accessible to the outside world, with the web app restricted to certain people.
  • Database server that is only accessible by the web server. Internal users, external users etc cannot access directly. Everything must flow through the web server.

In the database being access setup two schemas:

  • everyone
  • internal

So now your database might have 4 tables that look like this:

internal.SuperSecretTable
internal.DarkCompanySecrets
external.WhoCares
external.HaveAtIt

There are also two users roles: - employee - apiUser

The employee role would have access to both the internal and external schemas, while the apiUser role would only have access to the external schema. Give these roles the bare minimum permissions they need in order to function.

Hope this helps!

Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
  • "I am having a hard time understanding your question" I know that maybe my English is not good and that what I want to express is not trivial, anyway, pls, don't hesitate to ask for clarification about whatever part of the questions you don't understand. Yes, I have two types of users, but not classified as you said, but how I said. USERS2 could have access the data through a web server too, the only different from USERS1 and USERS2 are about the level of trust and the positions in the network each group have. Follow in another comment... –  Oct 11 '13 at 13:22
  • Another characteristic that differ from USERS1 and USERS2 is the number of users that belong to each group. In resume, USERS1 and USERS2 are different in several ways, but regard what we are talking about, just matter the fact that the security measures I can apply to one group if different to the others and the level of trust. USERS1 are more trust than USERS2. –  Oct 11 '13 at 13:30
  • About "It also sounds like these users need different levels of access to the same database.": that is not true. What I need is different levels of access to the same data, and one way to force such different levels of access that I'm proposing is isolate data deploy in different servers as a way to avoid data leak in case that USERS2 compromise the web server or the DBMS backing that web server. I'm not talking about database configuration or about how to implement RBAC, I'm about architecture that help me to avoid data leak in scenarios of server hacked. Thanks again for your help. –  Oct 11 '13 at 13:35
  • I edit the question and add an image, I hope that clarify it a bit. –  Oct 11 '13 at 14:45