Makin a Efficient & Effective Database Application

[Sam]

Hello everyone,

Before I ask my questions, here is some crucial background information:

I'm creating a program that will be used within a security department in a prominent organization to document various reports relating to any incident they encounter.

The amount of reports within this department get large rather quickly. To put it lightly, the security department makes approximately fifty reports a day. Their previous database has approximately 30,000+ reports over a course of two years.

The program and database files will be saved on a shared network drive, which is located on a very expensive and powerful server. The program will run on a workstation.

Here are my questions:

1) I'm conflicted on what object would be best to use. ODBC, EasyXML, Array, INI, custom file structure?

2) The program needs to encrypt all the information for privacy reasons. The program also needs to search for previous records. If I encrypt the database how much will this slow down the search process if I encrypt the information?

Any input and help is really appreciated!

[raytrace]

1) For quick access you could use any of them but split chunks of records up into files. (i.e. days if each report contains lots of info)

2) You could use blowfish encryption to encrypt the files but for seaching keep an index file - an unencrypted file with the file name and address of each report + any other info you need.

[Sam]

[]1) For quick access you could use any of them but split chunks of records up into files. (i.e. days if each report contains lots of info)[/]

I'm already planning to do that. Most likely, I will have it in yearly chunks. Reason being is if the security department hasn't dealt with a person within a year, there is a small chance that they will be records of that person.

[]2) You could use blowfish encryption to encrypt the files but for seaching keep an index file - an unencrypted file with the file name and address of each report + any other info you need. [/]

I was thinking that, but the biggest ability I want to implement is the ability to search key words and phrases within every record. Unfortunately, the things I would searching for have to be encrypted.

For example, if I wanted to search for 'Joe Smith' and all the records associated to him, I would type in the name editbox 'Joe Smith'. Problem being, the name 'Joe Smith' would have to be encrypted in his file for privacy reasons.

So I would have to decrypt each file and then search within the file for whatever is wanted, correct?

How much would this slow down the search process?

That is the problem I'm running into... Do anyone understand what I'm having trouble with?

[joewski]

1) I'm conflicted on what object would be best to use. ODBC, EasyXML, Array, INI, custom file structure?

Probably MySQL with the SQLDB Object or even ODBC. XML is also a possibility.

Array, INI(ini files are limited in size) and Custom file structures are out.
Once you get above 15,000 records you get memory and speed issues.

2) The program needs to encrypt all the information for privacy reasons. The program also needs to search for previous records. If I encrypt the database how much will this slow down the search process if I encrypt the information?

You don't need to encrypt the database, let the server worry about security.

You do need to encrypt your enquires to the database however and possibly the information returned.

Some hints and ideas to secure your information.
*If this is security stuff you will probably also need to keep a log file of files accessed.
*In the old forum from memory there was a way to prevent screen dumps, look for that example and use it.
*Be careful of edit boxes where you can use ctl-C.
*Files that are edited in word, you can use activeX to gain finer control. Again to disable the ability to edit. PDF are an option as well.

Other issues you need to consider is what a person has access to.. You may want to have it so yes your search exists but you must get supervisors password to proceed to records.

You can make it as simple or as complicated as you like.

[droberson]

You need to start off by defining what needs to be protected and to what degree. 30,000 records is really not the large. However, since the is a database with sensitive information who and who not should have access, what legal laws need to be followed, and levels of exposure (risk) need to be considered.

You need to determine what security at the workstation, across the wires, and at the server is needed. For example, if this is personal data or data that maintains any employee information, financial, or medical be careful. There are very specific laws that must be considered or YOU can be sued if it is stolen or accessed.

For example, what if data is payrole, financial or medical in nature, I would encourge that you consider full encription at all levels. Consider security at the ISO levels. You do not want someone in Information Technology being able to access the database and get access to soc. security information or health information? What if the server is stolen? What if someone uses a network monitor, what if spyware or keyloggers are placed on the systems?
Get the idea??? How is a transaction to the requested, by who, approved by who, logged for audit, and monitored for hacking.

Do you need to ensure that an audit log is maintained for viewing and printing of the information? What about limiting the usage of USB drives to get on the workstation and download the data? 30,000 records does not take up that much space. What about screen printing of the information?

So you may want to create an encripted drive to hold the database. You could encripted the database on the encripted drive. You could use a Linux or Windows Server and their security tools. You could use SSH or other encription for transport of the data across unsecure networks lines. You could uncrypt the information only in memory at the PC but you need to ensure spoofing of the IP address is not being done. Well on and on.

You need to have the company sign off so YOU are not held accountable if the information gets out. Remember the controls are for YOUR and the companies protection.

How about using a thin client approach? Hopes this gives you some ideas to think about.

[Sam]

There are no laws concerning what I'm doing, so it's in the clear. The reason being, there is no medical or financial records stored within these files.

I'm not going to think about making a new dedicated server, because I know there is no way this organization will allow it.

I've already thought about disabling the ability to print and using the printscreen button. I'm already implementing it. The program will have level access.

I can't really limit USB devices, burning CD's, or saving to floppies, so I'm not going to consider it.

A log would be a good idea to implement, but I think it will be in the future.

[droberson]

OK, Then here are some questions to think about.

1. What platform will the server be? Windows, Linux, Unix???
2. Will you need to send or received data from other preexisting systems? Like a AS400 application or HR system.
3. Will you need to format reports just for a PC or will handheld units or other system be needed? If so XML???
4. What about user training and technical training. For example if you use MySQL will you need to train the technical staff on how to maintain it?
5. Will you need to relie on someone else to maintain the server in order for the application to work? Do they like you and are they willing to cooperate with you?

[Sam]

[]1. What platform will the server be? Windows, Linux, Unix???[/]
I don't know the what operating system it is, but the software will be installed on the workstation and the database on the server. It's very similar to Novell Workgroup.

[]2. Will you need to send or received data from other preexisting systems? Like a AS400 application or HR system.[/]
No, this is a specific application on documenting everything from people tresspassing to employee theft directly affecting the security department within this organization. By their own policy, they cannot have access to HR or any other department applications

[]3. Will you need to format reports just for a PC or will handheld units or other system be needed? If so XML???[/]
It shouldn't matter, because they don't use PDA's to begin with. I thought of using XML but it has become quite the pain to use do to the limited examples and documentation.

[]4. What about user training and technical training. For example if you use MySQL will you need to train the technical staff on how to maintain it?[/]
When I mentioned I would provide training on how to use the software they were sold. I have an administration tool I have to train the supervisors on how to use.

[]5. Will you need to relie on someone else to maintain the server in order for the application to work?[/]
I don't know what you mean by this. Its a shared network drive, there really isn't anything to maintain when it comes to files. On top of that, the organization has a rather large IT department, so I think they can handle it.

[]Do they like you and are they willing to cooperate with you? [/]
They are more than willing to work with me, and why wouldn't they like me? lol